Russians Are Believed To Have Used Microsoft Resellers in Cyberattacks (nytimes.com) 50
As the United States comes to grips with a far-reaching Russian cyberattack on federal agencies, private corporations and the nation's infrastructure, new evidence has emerged that the hackers hunted their victims through multiple channels. From a report: The most significant intrusions discovered so far piggybacked on software from SolarWinds, the Austin-based company whose updates the Russians compromised. But new evidence from the security firm CrowdStrike suggests that companies that sell software on Microsoft's behalf were also used to break into customers of Microsoft's Office 365 software. Because resellers are often entrusted to set up and maintain clients' software, they -- like SolarWinds -- have been an ideal front for Russian hackers and a nightmare for Microsoft's cloud customers, who are still assessing just how deep into their systems Russia's hackers have crawled. "They couldn't get into Microsoft 365 directly, so they targeted the weakest point in the supply chain: the resellers," said Glenn Chisholm, a founder of Obsidian, a cybersecurity firm.
CrowdStrike confirmed Wednesday that it was also a target of the attack. In CrowdStrike's case, the Russians did not use SolarWinds but a Microsoft reseller, and the attack was unsuccessful. A CrowdStrike spokeswoman, Ilina Dimitrova, declined to elaborate beyond a company blog post describing the attempted attack. The approach is not unlike the 2013 attack on Target in which hackers got in through the retailer's heating and cooling vendor. The latest Russian attacks, which are thought to have begun last spring, have exposed a substantial blind spot in the software supply chain. Companies can track phishing attacks and malware all they want, but as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce Google's G-Suite, Zoom, Slack, SolarWinds and others -- and giving them broad access to employee email and corporate networks -- they will never be secure, cybersecurity experts say. "These cloud services create a web of interconnections and opportunity for the attacker," Mr. Chisholm said. "What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need 2021 defenses." Some reports have confused the latest development with a breach of Microsoft itself. But the company said it stood by its statement last week that it was not hacked, nor was it used to attack customers.
CrowdStrike confirmed Wednesday that it was also a target of the attack. In CrowdStrike's case, the Russians did not use SolarWinds but a Microsoft reseller, and the attack was unsuccessful. A CrowdStrike spokeswoman, Ilina Dimitrova, declined to elaborate beyond a company blog post describing the attempted attack. The approach is not unlike the 2013 attack on Target in which hackers got in through the retailer's heating and cooling vendor. The latest Russian attacks, which are thought to have begun last spring, have exposed a substantial blind spot in the software supply chain. Companies can track phishing attacks and malware all they want, but as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce Google's G-Suite, Zoom, Slack, SolarWinds and others -- and giving them broad access to employee email and corporate networks -- they will never be secure, cybersecurity experts say. "These cloud services create a web of interconnections and opportunity for the attacker," Mr. Chisholm said. "What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need 2021 defenses." Some reports have confused the latest development with a breach of Microsoft itself. But the company said it stood by its statement last week that it was not hacked, nor was it used to attack customers.
And again (Score:2)
Re: (Score:2)
Oh, they will. They will try to hack them back and thereby deliver yet more zero days into their hands.
Re:And again (Score:5, Interesting)
This year the Russians added to their round of high school competitions infosec. They have been doing math, physics, chemistry and general computer science and mathematical linguistics for ages. This is one of the reasons why the best of their high school production wipes the floor with most of the West (the exception being a couple of countries like Finland which have a strong high school STEM competitive circuit). The Chinese are the same by the way - they have STEM on a competitive basis in schools.
This year, they added infosec to the high school competition levels. All areas - penetration, security assessment, defensive and offensive hacking, crypto, etc. There is an extra twist too. The generic STEM competitive circuit is sponsored and supported mostly by the unis which pick the best competitors by offering entrance places and scholarships without a test result requirement. The infosec competitive stream, however, will have the military and the military academies sponsoring it.
So, in 2-3 years time USA will be able to do f*ck all, unless it declares every Russian who was not dumb enough to fail his high school a potential threat... While at it, if they think they are hacking a lot today, they have not seen anything yet. Watch this space in 3 years time.
Re: (Score:2)
Re: (Score:2)
That sounds incredibly sad. My favorite time in secondary school (junior high in US) was doing things in chemistry.. things like black powder..
Re: (Score:2)
Don't forget the nitrogen tri-iodide. Paint the door knobs with it.
Re: And again (Score:3)
Re: (Score:2)
Re: And again (Score:2)
Re: (Score:2)
Her luster for the alleged president was that she is a raving Christian Religious Nutjob, which he figured (more likely his "advisors") would go down well with that part of the electorate that are raving Christian Religious Nutjobs. That was a correct choice given that the Christian Religious Nutjobs are easily dazzled and don't care a wit for integrity or a professional background.
And the fact that she was happy to enable the grifters in the Education for Profit industry, which preys on the disadvantaged a
Re: And again (Score:2)
And the USA is hung up on feelings, and teaching kids how best to be butthurt and sue their employer.
Let's face it, we are fucked. Russia will own us, China will own us, Europe will own us...
And we did this to ourselves.
I wonder if we will even have 'second world' status come 2050? :\
Re: And again (Score:1)
Re: (Score:2)
Oh, it will try to. A bit too little to late.
This year the Russians added to their round of high school competitions infosec. They have been doing math, physics, chemistry and general computer science and mathematical linguistics for ages. This is one of the reasons why the best of their high school production wipes the floor with most of the West (the exception being a couple of countries like Finland which have a strong high school STEM competitive circuit). The Chinese are the same by the way - they have STEM on a competitive basis in schools.
This year, they added infosec to the high school competition levels. All areas - penetration, security assessment, defensive and offensive hacking, crypto, etc. There is an extra twist too. The generic STEM competitive circuit is sponsored and supported mostly by the unis which pick the best competitors by offering entrance places and scholarships without a test result requirement. The infosec competitive stream, however, will have the military and the military academies sponsoring it.
So, in 2-3 years time USA will be able to do f*ck all, unless it declares every Russian who was not dumb enough to fail his high school a potential threat... While at it, if they think they are hacking a lot today, they have not seen anything yet. Watch this space in 3 years time.
Oh, it will try to. A bit too little to late.
This year the Russians added to their round of high school competitions infosec. They have been doing math, physics, chemistry and general computer science and mathematical linguistics for ages. This is one of the reasons why the best of their high school production wipes the floor with most of the West (the exception being a couple of countries like Finland which have a strong high school STEM competitive circuit). The Chinese are the same by the way - they have STEM on a competitive basis in schools.
This year, they added infosec to the high school competition levels. All areas - penetration, security assessment, defensive and offensive hacking, crypto, etc. There is an extra twist too. The generic STEM competitive circuit is sponsored and supported mostly by the unis which pick the best competitors by offering entrance places and scholarships without a test result requirement. The infosec competitive stream, however, will have the military and the military academies sponsoring it.
So, in 2-3 years time USA will be able to do f*ck all, unless it declares every Russian who was not dumb enough to fail his high school a potential threat... While at it, if they think they are hacking a lot today, they have not seen anything yet. Watch this space in 3 years time.
One person, Betty Devos. Brilliant at transferring money away to Charter schools. Charter schools are what the Trump's attended. Just forget about the masses and the playboys.
Re: (Score:1)
But they are! Working to keep the hysteria up as high as possible. Something to keep our minds off of Congress's failures past, present, and future, the same failed congress that just got reelected, minus only 13(!). The same multimillionaires rationing out this paltry "relief" that we might not even get at all. Ah, but... Russia!
Fuck...
Re: And again (Score:3, Interesting)
Maybe not in response to this specific incident, but who's to say the US doesn't already have their hooks into places. See Stuxtnet and how long it took the world to discover it.
I hack you, you hack me.... (Score:3)
Likely we will just see more tit-for-tat hacking between the 2 countries.
Re: (Score:2)
Well, you missed the news about the Russians crying that we put their space rockets on a list of military stuff.
They cry and cry, and then they turn around and say, "But you can't hurt us."
Stop crying then, Ivan.
Re: And again (Score:2)
The problem with attacks like this is attribution is INCREDIBLY difficult.
If the US gets attacked by a missile, it is pretty easy to know if it was sent by Russia, and if you confirm that then you also know that you can reasonably know the government authorized it.
Neither of these things are trivial in cyber attacks. Even if you can attribute the attack to originating from a Russian group (non trivial all by itself for a plethora of reasons) - knowing that the group was acting on behalf of or with authority
Re: (Score:2)
Of course they will. They will fill a propaganda thread full of Russia, Russia, Russia comments, so vapid and boring, pretty much only their inane comments are in it and because it is full of nothing but their propaganda, apart from the odd ego deflating comment, believe they are winning, until the ego deflating comments start appearing.
Russia, Russia, Russia, is so yesterday, why not go with 'the sky is falling' or the British are coming (bit more appropriate that one, as they pretty much fucked over US i
This doesn't sound like the Putin I know. (Score:2)
And as a cardiologist, I should know.
Re: (Score:2)
Seems doubtful as he has no blood, except the blood on his hands.
A failure of the NSA and GCHQ to ensure security (Score:5, Insightful)
Another day, another breach of computers, supposedly by anti-western governments. Long ago the NSA and GCHQ decided that security was a trade off between their ability to hack systems and protecting businesses [schneier.com] and they decided to prioritise their ability to hack [schneier.com] the rest of the world. The failure of these agencies to absolutely prioritize computing security is destroying the countries that they are paid to defend.
No need for resellers (Score:1)
Oh no! (Score:3)
If only some way people could see in the open the source of their problems. Obviously, not solutions to be found.
ROFL (Score:3, Insightful)
I got away from this fate by switching back to software development in time. I know quite a few guys who got the sack because switching to a RESOLD Office360 with a bundled "service agreement" made their job redundant. Well, we now see the fallacy in this idea. Whatever the f*ck you do the ratio of USER : SYSADMIN is relatively constant and adding external "service" elements to the system should increase it, not decrease it - more moving parts.
The Cloudy Chinkins are flying home to roost and they are having diarrhoea. Are they signing Katusha? I doubt it. In any case the Chinese can sing and march to a Russian tune very well too: https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Damn that video! It just triggered a relapse of my yellow fever.
Re: (Score:3)
Damn that video! It just triggered a relapse of my yellow fever.
I see you have the correct reaction. Applause.
There is a detail to the video which most people miss. If you did not notice, most of the ladies have their faces smudged. There is a reason for that. While it is a very high honour to pull a leg in front of Comrade Xi, it should not interfere with smiling at you and me at a tech conference like MWC or Kubecon. IT IS THAT UNIT.
Re: Cloud services insecure by design (Score:1)
The term "cloud" and naming the cloud vendor is irrelevant here and used by news only as a troll tactic to stoke fear. Resellers were hacked and the attack vector was neither the cloud technology nor the hosting provider.
Re: Cloud services insecure by design (Score:1)
And yet the sheeple still buy cloud devices by the millions, and they never read the service agreement to know that an employee of the company is now authorized to come into their home at random times and paddle them in the butt.
After they get reamed by shitty service, milked for every scrap of personal information so their insurance agent can know to deny their clams, and their cloud dependent devices rendered bricked/worthless because "this company is going in a bold new direction, to provide more value b
'The Russians' (Score:1)
Re: (Score:2)
Re: 'The Russians' (Score:1)
A throne has two armrests.
Russia will be chained by the neck to one, and the USA chained to the other, and China will sit proudly above both.
Not supricing (Score:2)
We manage a large number of clients and have access to management capabilities to their microsoft and google accounts.
If we were hacked then the hackers would likely be able to do all kinds of "fun things" with those.
Luckily our customers are small and medium companies and thus not likely targets for targeted attacks, just the generic ones.
Re: (Score:1)
"Luckily our customers are small and medium companies and thus not likely targets for targeted attacks, just the generic ones."
That is a dangerous statement to make and believe. How many of those companies have large clients? It only takes one level of indirection to make YOU the victim of a targeted attack because one of those companies is a vendor to a Fortune 100.
Re: (Score:2)
Well, we do our best of security, But there is only so much a small company like us can do if directly targeted by a state.
Re: (Score:1)
Agreed. Unfortunately, as this hack and many others have revealed, we are at the mercy of many things outside our control - libraries, docker containers, update servers, OS vendors, etc.
If you do the best you can with security, a realistic threat model is a good place to start and I was hoping to point out that "we're not a target" is not the basis for a realistic threat model. It's about as relevant to security posture as "I have nothing to hide" is to privacy.
If that sentence isn't a mantra that lures you
Re: (Score:2)
The thing is: we do not have the resources for a dedicated network security team, unlike some bigger companies. So, while we try to take care of security matters it is just part of everyday job.
Thus I see it as I said in my original post, if we are directly targeted by a state entity, they are likely to find some problem that they can exploit. But we are as said not a likely target for such.
A larger company faced with such attack would have at least a chance of trying to mitigate/stop such attacks due t thi
Re: (Score:2)
Sigh. They knew this would happen when GPT3 was released, and they did it anyway. Artificial stupidity, indistinguishable from human stupidity.
Good job, guys. You could've worked on cancer therapy or clean energy or interplanetary colonization or any number of things that would have left us in a better place, but no, this was more interesting. Or at least, it paid better.
Thanks, Elon. Thanks a lot.
Evolution (Score:1)
Why always Russia? (Score:1)