 Attackers hid inside Windows systems by wearing the skins of legit processes. The SolarWinds hackers triggered one of their Cobalt Strike implants in the firm's network through a cunning VBScript that was activated by a routine system process, Microsoft has said. Microsoft's deep dive, published yesterday following SolarWinds' own take on the malware, repeated earlier findings that the hackers went to unusual lengths to disguise their intrusion and avoid detection. Specifically, the compromised DLL file was quietly deployed onto targeted systems by mimicking legitimate file names – and the attackers worked between 8 am and 5 pm to increase the odds of not being spotted. It continued: "Applying this level of permutations for each individual compromised machine is an incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims." Much of the infosec commentary around the SolarWinds supply chain attack has reused the tired old clichés of stating the attackers were sophisticated, advanced, cunning, soft, strong, thoroughly absorbent, and so on. In this case, the clichés appear to be true because the attackers "first enumerated remote processes and services running on the target host" and only moved through the target network "after disabling certain security services." Those techniques included editing the Windows registries of target machines to disable autostarting of security processes – and then waiting until the target machine was rebooted before moving in for the kill. "The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary," Microsoft sighed. The analysis includes indicators of compromise and techniques used by the attackers to skate around SolarWinds's networks but, unusually for infosec research, expresses them in plain English that any averagely skilled IT pro can follow. It's well worth a read. The attackers also used the mildly unusual reflective DLL loading attack technique. A full explanation can be read here, also from Microsoft. Briefly, the technique allows malicious DLL files to be loaded into a process without first having been registered with it – and does so from memory, via a custom loader deployed by the attacker, rather than pulling it from a potentially detectable disk location. Relatedly, custom Cobalt Strike loaders developed by the hackers strongly resembled "legitimate Windows file and directory names, once again demonstrating how the attackers attempted to blend in the environment and hide in plain sight," said MS. The autopsies of the biggest supply chain attack for years will doubtless continue, but one thing's for sure: whichever nation-state was behind it, they really knew what they were doing and really didn't want to be caught in the act. Follow this thread and more on OUR FORUM.
 The data regulator for the German state of Lower Saxony has fined a local laptop retailer a whopping €10.4 million ($12.5 million) for keeping its employees under constant video surveillance at all times for the past two years without a legal basis. The penalty represents one of the largest fines imposed under the 2018 General Data Protection Regulation (GDPR) not only in Germany but across Europe as well. The recipient is notebooksbilliger.de AG (doing business as NBB), an online e-commerce portal and a retail chain dedicated to selling laptops and other IT supplies. The State Commissioner for Data Protection (LfD) for the state of Lower Saxony said that the company installed two years ago a video monitoring system inside its warehouses, salesrooms, and common workspaces for the purpose of preventing and investigating thefts and tracking product movements. Officials said the video surveillance system was active at all times, and recordings were saved for as much as 60 days in the company's database. But while the retailer thought it was running a banal video monitoring solution, as found in many other businesses across Germany and all over the world, the German data regulator found it to be a gross encroachment on the rights of German workers. "We are dealing with a serious case of video surveillance in the company," said Barbara Thiel, head for LfD Lower Saxony, in a press release earlier this month. "Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees." The German data regulator argued that employees do not have to give up their right to privacy because their employer puts them under suspicion of potentially committing a crime in the future. "If that were the case, companies could extend surveillance without limit," Thiel said. The German official claimed that video surveillance was not to be used as a "deterrent" to prevent crime but only when an employer had justifiable suspicion against certain employees. In those cases, employees could be monitored for limited periods of time until the suspicion was confirmed, and not for years in a row. "Video surveillance is a particularly intensive encroachment on personal rights, because, theoretically, the entire behavior of a person can be observed and analyzed," Thiel said. The LfD head said that because of the constant video monitoring, employees are under continuous stress and pressure to behave as inconspicuously as possible in order to avoid being criticized for their behavior. Furthermore, the German data regulator said that NBB also recorded customers while testing devices in its salesrooms without their knowledge or consent, which represented another major privacy breach. But in a PDF statement published on its website, NBB CEO Oliver Hellmold said the fine and accusation that it monitored employees were unfounded. "At no point was the video system designed to monitor employee behavior or performance. It wasn't even technically equipped for it," Hellmold said. The NBB CEO accused the LfD Lower Saxony office of misconduct. He argued that officials didn't visit its premises during the three-year investigation and that NBB previously made adjustments to its video surveillance system at the office's request in order to become compliant. Furthermore, Hellmold called the fine disproportionate to the company's size and said that they plan to appeal. "It is absurd that authority imposes a fine of more than 10 million euros without sufficiently investigating the matter. Apparently, an example is to be made here at the expense of our company," he said. Continue reading on OUR FORUM.  Parler’s website suddenly appeared online Sunday with a message from its CEO, John Matze, who said, “Hello world, is this thing on?” The message suggests Parler was able to find another hosting service, coming about a week after Amazon Web Services booted the social media website from its services, taking the site down. It came as Parler—billed as a “free speech” platform—was seeing an unprecedented surge in users as prominent conservatives, among others, were being banned from Twitter, Facebook, and other platforms. Matze also issued a temporary status update. “Now seems like the right time to remind you all—both lovers and haters—why we started this platform,” Matze. “We believe privacy is paramount and free speech essential, especially on social media. Our aim has always been to provide a nonpartisan public square where individuals can enjoy and exercise their rights to both. We will resolve any challenge before us and plan to welcome all of you back soon. We will not let civil discourse perish!” Amazon Web Services’ rationale behind jettisoning Parler was due to a lack of moderation and came in the backdrop of the Jan. 6 U.S. Capitol riots. Parler, in a court filing, citing text messages between Matze and an Amazon representative, claimed Amazon was primarily concerned with whether President Donald Trump would migrate to Parler after his Twitter account was banned last week. Read more: Parler Back From The Dead As CEO Posts New Message |
Latest Articles
|