A quick Saturday digest of cybersecurity news articles from other sources.
CISA Publishes Eviction Guidance for Networks Affected by SolarWinds and AD/M365 Compromise
Original release date: May 14, 2021
CISA has released an analysis report, AR21-134A Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise. The report provides detailed steps for affected organizations to evict the adversary from compromised on-premises and cloud environments.
Additionally, CISA has publicly issued Emergency Directive (ED) 21-01 Supplemental Direction Version 4: Mitigate SolarWinds Orion Code Compromise to all federal agencies that have—or had—networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity.
Although the guidance in AR21-134A and ED 21-01 Supplemental Direction V.4 is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, territorial, and tribal government organizations; and private sector organizations to review and apply it, as appropriate.
Review the following resources for additional information:
- CISA Webpage: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise (updated May 14, 2021)
- CISA Webpage: SolarWinds Orion Supply Chain Compromise
- CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
- CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
Note: the U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House and in the three Joint Cybersecurity Advisories summarized in the CISA Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise.
Compromised Email Account? Here’s What To Do
An email account can be compromised in a number of different ways. In some cases, your password may be weak and easily guessed or obtained through a public breach. In other cases, you may have clicked on a malicious link in an email, social networking site, or webpage. Or, you may have downloaded an app or file that contained malicious scripts.
In this edition of the security newsletter, we’ll look at potential warning signs that your email account may have been compromised, what you can do to recover, and steps you can take to help prevent it from happening again. Read more…
Joint NCSC-CISA-FBI-NSA Cybersecurity Advisory on Russian SVR Activity
Original release date: May 7, 2021
CISA has joined with the United Kingdom’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), in releasing a Joint Cybersecurity Advisory on Russian Foreign Intelligence Service (SVR) tactics, techniques, and procedures. Further TTPs associated with SVR cyber actors provides additional details on SVR activity including exploitation activity following their initial compromise of SolarWinds Orion software supply chain.
CISA has also released Fact Sheet: Russian SVR Activities Related to SolarWinds Compromise that provides summaries of three key joint publications that focus on SVR activities related to the SolarWinds Orion supply chain compromise.
CISA strongly encourages users and administrators to review the joint advisory as well as the other two advisories summarized on the fact sheet for mitigation strategies to aid organizations in securing their networks against Russian SVR activity.
DNI’s Annual Threat Assessment
The office of the Director of National Intelligence released its “Annual Threat Assessment of the U.S. Intelligence Community.” Cybersecurity is covered on pages 20-21. Nothing surprising:
- Cyber threats from nation states and their surrogates will remain acute.
- States’ increasing use of cyber operations as a tool of national power, including increasing use by militaries around the world, raises the prospect of more destructive and disruptive cyber activity.
- Authoritarian and illiberal regimes around the world will increasingly exploit digital tools to surveil their citizens, control free expression, and censor and manipulate information to maintain control over their populations.
- During the last decade, state sponsored hackers have compromised software and IT service supply chains, helping them conduct operations — espionage, sabotage, and potentially prepositioning for warfighting.
The supply chain line is new; I hope the government is paying attention.
When AIs Start Hacking
If you don’t have enough to worry about already, consider a world where AIs are hackers.
Hacking is as old as humanity. We are creative problem solvers. We exploit loopholes, manipulate systems, and strive for more influence, power, and wealth. To date, hacking has exclusively been a human activity. Not for long.
As I lay out in a report I just published, artificial intelligence will eventually find vulnerabilities in all sorts of social, economic, and political systems, and then exploit them at unprecedented speed, scale, and scope. After hacking humanity, AI systems will then hack other AI systems, and humans will be little more than collateral damage.
Okay, maybe this is a bit of hyperbole, but it requires no far-future science fiction technology. I’m not postulating an AI “singularity,” where the AI-learning feedback loop becomes so fast that it outstrips human understanding. I’m not assuming intelligent androids. I’m not assuming evil intent. Most of these hacks don’t even require major research breakthroughs in AI. They’re already happening. As AI gets more sophisticated, though, we often won’t even know it’s happening.
AIs don’t solve problems like humans do. They look at more types of solutions than us. They’ll go down complex paths that we haven’t considered. This can be an issue because of something called the explainability problem. Modern AI systems are essentially black boxes. Data goes in one end, and an answer comes out the other. It can be impossible to understand how the system reached its conclusion, even if you’re a programmer looking at the code. More…
This essay previously appeared on Wired.com
DarkSide ransomware group suffers setbacks following Colonial Pipeline attack
But is the cybercrime group down for the count or laying low for now due to outrage over the pipeline attack?
Share
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com