Category Archives: Cisco Talos

Threat Roundup for January 15 to January 22

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between January 15 and January 22. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20210122-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The SolarWinds Orion Breach, and What You Should Know

By Joe Marshall of Cisco Talos and Paul Smith of Cisco IoT

What is this?

On December 11th, 2020, the U.S. government and the company SolarWinds disclosed a breach into their SolarWinds Orion Platform network management software. This attack was conducted by a sophisticated and likely nation-state based attacker. SolarWinds Orion is a commonly used network management software stack used to manage complex switched and routed IT/OT architectures.

High profile customers of the Orion platform are numerous U.S. government agencies, and many private entities. The adversary was able to penetrate SolarWinds software development infrastructure, and bolt malware into a legitimate software update from SolarWinds for their Orion platform. In March of 2020, this malicious ‘patch’ was distributed, which then could provide backdoor access into the victim’s networks where the adversary could then exfiltrate data.

Due to the enormity of this attack, forensic and threat intelligence information is still rapidly changing. For Cisco Secure and IoT customers, our security coverage and updates can be found at the Cisco Talos blog post here. At the time of this posting, SolarWinds customer exposure is stated to be less than 18,000 of the 30,000 Orion platform customers.

What do you do about it?

Per an advisory published by the Cybersecurity & Infrastructure Security Agency, or CISA, potential victims should identify which victim category they fall into based on the whether or not they installed the following binaries and contacted the command and control (C2) server: avsvmcloud[.]com

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

To determine a level of concern, CISA has also given these categories to help you understand risks and perform incident response as necessary.

  • Category 1: includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.
  • Category 2: includes those who have identified the presence of the malicious binary—with or without beaconing to avsvmcloud[.]com. Owners with infected appliances communicating with avsvmcloud[.]com but not with a secondary C2—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.
  • Category 3: includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.

What does this mean?

The SolarWinds Orion compromise is an incredibly impactful attack across numerous industrial verticals, especially electric subsectors concerned with critical infrastructure. This will perhaps be regarded in the same category as NotPetya, or ccleaner as another successful nation-state supply chain attack with vast ramifications. As this is a recently discovered attack both in breadth and scope, we will be unpacking the damage done and discovering new forensic details for a considerable amount of time. Now is as a good a time as any to consider your operating risks and cyber threats to your business continuity.

As potentially damaging as the SolarWinds compromise could be, it could also be a catalyst for positive change for your enterprise. We would encourage you to think about your converged IT/OT architectures – what exposures and risks do you have not just from something like the SolarWinds compromise, but with any enterprise products that straddle both information and operational technology enterprises. Could you identify all the risks and exposures you have? From fundamental asset identification and network mappings and data flows, to unpatched vulnerabilities and process identification, there is a lot to consider.

It is also important to note that the attack on the SolarWinds Orion platform can absolutely cause an unwanted disruption in an operational network. Due to the pervasive nature of this platform, its tendrils can extend very far into the spine of an operational technology environment. From assigning IP’s and port security, to active directory integrations, to patch management and networking monitoring, SolarWinds Orion can run very deep into networks. This is largely undesirable for security reasons, but many enterprises may view it as necessary evil to maintain a large and complex infrastructure.

Furthermore, due to the nature of how products like SolarWinds Orion manage the infrastructure, it requires stored credentials/keys to be put in place to leverage the ease of use. This has long been the dilemma faced in IT/OT infrastructure, fewer people managing larger scale networks utilizing the convivence of ‘single pane of glass’ tools. These create security holes, and it is really up to the enterprise to weigh the risk vs. reward.

Conclusion

Long gone are the halcyon days of only external cyber risks to your enterprise. As organizations outsource all or parts of their IT and make heavier use of cloud services, their cybersecurity relies even more on those of their suppliers. We now live in an era of nation-state compromised supply chains that could impact your enterprise in profound ways. Given the considerable burden of managing your enterprises security, and now contending with nation-state supply chain attacks, it can likely feel overwhelming as a defender. Our suggestion: start at the basics and work forward. Ask yourselves what’s the worst day you could have and plan your risks accordingly.

Consider strategies like operating your industrial infrastructure in a zero trust model that can help mitigate damage done, not just against the SolarWinds compromise, but against ransomware or other malware attacks. Consider how well you know your networks, and if you know what there is to protect. Think about security monitoring and protections in your OT environments. Consider emergency response playbooks for cyber incident response. Consider safety concerns if an attack impacts your operations, or your regulatory compliance.

Ultimately, these are all difficult questions with complex answers, but the resilience and safety of your organization are worth the journey. Here is how Cisco can help:

Cisco Cyber Vision has been specifically developed for OT and IT teams to work together to ensure continuity, security, resilience and safety of your industrial operations. Cyber Vision has behavioral analysis and Snort® intrusion detection capabilities to detect malicious traffic. The latest Cyber Vision knowledge base includes Cisco Talos IDS signatures to detect SolarWinds attacks. If you have not done so already, we recommend you install it today by downloading it here.

Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a breach. CTIR enables 24-hour emergency response capabilities and direct access to Cisco Talos, the world’s largest threat intelligence and research group.

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools.

Threat Roundup for January 8 to January 15

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between January 8 and January 15. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20210115-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Cisco Secure Workload Immediate Actions in Response to “SUNBURST” Trojan and Backdoor

Background

The SUNBURST trojan and backdoor, as dubbed by FireEye researchers, that has compromised multiple U.S. Government systems recently, highlights the complexity and connectedness of the modern enterprise IT environment as a security weakness. Recent reporting makes clear that the adversary took advantage of software complexity to deliver a highly refined attack affecting thousands of organizations. Even with many top-tier security controls in place, the attack was able to go unobserved for months.

This blog is not to tell you deploy one product and job is done, you never need to worry about this class of threats again. It will never be that easy. Creating an enterprise software architecture that has defense-in-depth baked in through multiple layers of fortification including lateral movement control and least privilege, on the other hand, is a proven, repeatable, realistic, and implementable strategy.

In these attacks, there is always a chain of events, and the goal is to try cut at least one of those links to protect your organization. Apply least privilege and zero trust segmentation controls to break as many links as possible in your application environment. The trick is to do this without bringing any services down, requiring infrastructure changes, or frustrating application owners.

We will define actionable zero trust segmentation controls that can be applied by Cisco Secure Workload with immediate effect to protect your enterprise from the “SUNBURST” trojan and backdoor. We will also present advice on zero trust segmentation and least privilege models to help protect you on an on-going basis, as applying restrictions only to SolarWinds machines and their communication is not enough.  If already exploited, the adversary has now moved laterally and the problem then becomes not only what SolarWinds can or cannot talk to, but how all application workloads communicate.

In your own environment, run a thought experiment and compute the possible ‘hops’ from a management or monitoring tool like SolarWinds Orion, to a monitored workload, to your most critical data. Chances are, without proper lateral movement control, the number will be uncomfortably low. Use Cisco Secure Workload to raise it.

Cisco Secure Workload Recommendations

In line with Cisco Talos recommendations, all organizations that use the SolarWinds Orion IT monitoring and management software are urged to follow the guidance from DHS and CISA along with the related guidance from SolarWinds to further secure these environments.

As highlighted above, initial steps involve:

  1. Identification of compromised/affected assets
  2. Applying primary mitigations including restricting network traffic to least privilege

Cisco Secure Workload can directly support both initial steps to assist in the identification of compromised assets and the application of network restrictions to control network traffic through central automation of distributed firewalls at the workload level.  This flexible approach means a consistent firewall policy can be quickly applied to control inbound and outbound traffic at each workload without the need to re-architect the network or modify IP addressing and is compatible with any on-premises infrastructure or public cloud provider.

Identification of Compromised Assets

Cisco Secure Workload can identify compromised assets via three methods:

  1. Presence of installed package
  2. Presence of running process (either name or hash)
  3. Presence of loaded libraries (DLLs)

As operator, you may choose to identify based on one or more indicators. Cisco Secure Workload will dynamically compute a list of all assets that meet the criteria defined. The list will be kept up to date and refreshed every 60 seconds to account for changes in your environment.

Fig 1 – identifying workloads with affected SolarWinds processes based on published process hash signatures

Fig 2- identifying workloads with affected SolarWinds processes based on published DLL hash signatures

Fig 3 – Identifying workloads with affected SolarWinds package installed, regardless of whether it is running in memory or not

Least Privilege Network Restriction

Once compromised assets have been collated, network traffic can be restricted based on a least privilege model. As operator, you may decide how much privilege to grant. In the current situation, it may be advised to provide zero privileges to all identified Orion Platform assets. In the future, as patched versions of Orion are deployed, privileges may be slightly increased, but only to cover the exact communications Orion requires for operation, and nothing more.

Fig 4 – A Cisco Secure Workload policy includes a dynamic set of source and destinations, defined here by workloads that have been detected to have SolarWinds software and an action, which in this case is to restrict any network traffic.

Fig 5 – More surgical restrictions on trust can be applied, such as removing access to the internet, users, or critical assets.

Fig 6 – The most secure state is when zero trust policies are enacted that define the expected and allowed communication patterns of an application and block all else. Communication patterns can either be ingested as published by the vendor or discovered via machine learning analysis on historical network traffic performed by Cisco Secure Workload if not available.

In the past, we were lucky to be able to conceptualize and wrangle with the complexity of our systems, but those days are gone. The complexity of modern infrastructures, and the blind spots that creates, provides opportunity for adversaries to deliver silent and sophisticated threats. For enterprises, the need for more – more agility, more features, more integrations, more value – has left us with an interwoven web of systems that are highly connected to each other, to the point that the attack surface of any one application becomes the attack surface of all, unless we are segmenting.

The above steps will help protect your organization from the SUNBURST trojan and backdoor, but don’t stop there. The most consistent guidelines and hardening measures published by government agencies and independent research bodies that is re-iterated in almost any attack – whether ransomware or supply-chain related – to help mitigate the threat, restrict the attacker, and limit propagation is to apply zero trust segmentation controls. In addition to the many benefits of implementing a zero trust segmentation control, Cisco Secure offers  Cisco SecureX, a cloud-native, built in platform experience.   With the Cisco Secure platform approach, you will be able to provide greater visibility, faster response and more efficient security operations.  The time to act is now.

Get started with Cisco Secure Workload