Boston (AP) — The SolarWinds hacking campaign that accused Russian spies and the “serious threat” it poses to US national security are widely known. A very different, and less alarming, coordinated series of intrusions, also detected in December, has significantly reduced public attention.
Agile and highly skilled criminal hackers believed to be active in Eastern Europe, by splitting dozens of businesses and government agencies on at least four continents into a single product that uses them all. I hacked it.
Victims include Central Bank of New Zealand, Harvard Business School, Australian securities regulators, strong US law firm Jones Day (clients include former President Donald Trump), rail freight company CSX, Kroger Supermarket and Includes pharmacy chain. The Washington State Auditor’s Office could also be attacked, revealing the personal data of up to 1.3 million people collected to investigate unemployment fraud.
The December and January two-stage mega-hacking of the popular file transfer program by Silicon Valley company Accellion highlights a threat that security professionals fear could get out of hand. Software supply chain and third party services.
Operating system companies such as Microsoft have long been in the spotlight. Thousands of Exchange email server installations have been compromised worldwide in the last few weeks. Primarily after the company issued a patch, revealing that a Chinese national hacker had invaded the program.
Meanwhile, Accellion victims continue to grow, many being coerced by Russian-speaking Clop cybercriminals, who believe threat researchers may have purchased data stolen from hackers. I will. Their Threat: Whether it’s a proprietary document from Canadian aircraft manufacturer Bombardier or a communication between a Jones Day lawyer and a client, pay or leak sensitive data online.
Hacking up to 100 Accellion customers, easily identified by hackers in online scans, is a devastating relief to the core mission of the digital age, which is lacking in both government and private sector.
“Vendors such as Microsoft and Apple have significantly increased the security of their operating systems over the past few years, making it increasingly difficult for attackers to access in the traditional way. Therefore, attackers are easier. Find a way. This often means going through the supply chain, and as we’ve seen, it works, “said F-Secure, Chief Research Officer, cybersecurity firm. One Mikko Hipponen said.
Parliamentary members are already disappointed with the supply chain hacking of Texas network management software company SolarWinds, with suspected Russian state-sponsored hackers at least nine government agencies, more than 100 companies, and think tanks. The SolarWinds hacking campaign was discovered by cybersecurity firm FireEye only in December.
France was hit by a similar hack, cybersecurity agencies accused Russian military agents and attacked the supply chain. They slipped malware into an update to a company’s network management software called Centreon, quietly rooting victims’ networks from 2017 to 2020.
Both of these hacks allow malware to sneak into software updates. Accellion hacking differed in one important way. The file transfer program existed on the victim’s network as a standalone appliance or a cloud-based app. Its job is to safely move files that are too large to be attached to an email.
Mike Hamilton, a former Seattle chief information security officer and now a member of CI Security, said criminals are “corporate and government agencies” who are more likely to abuse third-party service providers.
The impact of the Accellion breach could have slowed if the company warned its customers more quickly, with some complaining.
Adrian Oh, governor of New Zealand’s central bank, first learned in mid-December that he used outdated technology to compromise an FTA application nearly 20 years ago when he was planning to retire. It states that Accellion did not warn.
According to the bank, despite the patch becoming available on December 20, Accellion did not notify the bank to prevent the appliance from being compromised five days later.
“If we were notified at the right time, we could have patched the system to avoid the breach,” Orr said in a statement posted on the bank’s website. The stolen information included files containing personal emails, dates of birth, and credit information, the bank said.
Similarly, the Washington State Audit & Supervisory Board has no record of being informed of the breach until January 12, the same day that Accellion publicly announced, said spokeswoman Kathleen Cooper. Accellion said it released the patch to less than 50 affected customers within 72 hours of learning of the breach.
Accellion tells another story. Since December 22, he has alerted all 320 potentially affected customers with multiple emails, followed by emails and phone calls. Company spokesman Rob Doherty did not directly address complaints from the Central Bank of New Zealand and the Washington state auditor. According to Accellion, less than 25 customers are suffering from serious data theft.
Washington state auditors hacked the company on December 16 when it was first informed of the breach, according to a timeline released March 1 by cybersecurity firm Mandiant, which Accellion hired to investigate the case. It says it happened at Christmas.
Notification timing issues are serious. The state of Washington has already been in proceedings, and several proceedings have been filed against Accellion seeking a class action. Other organizations may also face legal or other consequences.
Last month, Harvard Business School officials sent an email to affected students informing them that some Social Security numbers and other personal information had been compromised. Another victim, Singapore-based telecommunications company Singtel, said the personal data of about 129,000 customers had been leaked.
Katie Moussouris, CEO of Luta Security, said that software companies with hundreds of programmers often have only one or two security personnel.
“We can say that organizations are investing uniformly in security, but in reality, we see them dealing with breaches and vowing to do better in the future. And that’s kind of It was a business model of. “
Accellion spokesman Doherty said the attack “has nothing to do with staffing,” but did not mention the number of people directly assigned to security that the company hired in mid-December.
Cybersecurity threat analysts want to snowball supply chain hacks to stun the software industry to prioritize security. Otherwise, vendors endanger the fate of SolarWinds.
In a filing with the Securities and Exchange Commission last week, the company offered a bleak outlook.
Supply chain hacking “continues to evolve rapidly,” he said, “it may not be possible to identify current attacks, anticipate future attacks, or take appropriate security measures.”
Ultimate, painful result, document added:
“You may choose to postpone your purchase, cancel your contract or subscription with us, or not renew.”
Suggest a fix
Dozens of people burned in one hack
Source link Dozens of people burned in one hack