The Hack Roundup: Biden Says Obstructed Transition 'Nothing Short of Irresponsible'

President-elect Joe Biden called for political leaders at certain agencies to stop blocking transition efforts to avoid leaving gaps adversaries could exploit.

“As I said last week — this attack constitutes a grave risk to our national security. And we need to close the gap between where our capabilities are now and where they need to be to better deter, detect, disrupt, and respond to these sorts of intrusions in the future,” Biden said in prepared remarks after briefings from his national security agency review teams. 

Biden sees cybersecurity as an area Republicans and Democrats can work together to address, but his transition team faces roadblocks from the Trump administration. He specifically called out the political leadership at the Defense Department and the Office of Management and Budget for preventing his team from getting budget and security information. 

“Right now, we just aren’t getting all the information that we need from the outgoing administration in key national security areas,” he said. “It’s nothing short of irresponsible.”

SolarWinds’ updated security advisory shares details on two different issues with its Orion platform. The company said it has removed software builds known to be affected by the SUNBURST vulnerability—which sparked the Cybersecurity and Infrastructure Security Agency’s emergency directive—from its download sites and continues to work to determine whether non-Orion products are affected. 

The company also acknowledged SUPERNOVA malware, which Microsoft and Palo Alto Networks’ Unit 42 disclosed in research and say could point to a second hacking group. The SUPERNOVA malware is separate from the supply chain attack but is designed to look like it’s part of a SolarWinds product. 

SolarWinds—and many experts—suspects a sophisticated, unnamed nation-state is behind SUNBURST. Who’s behind SUPERNOVA is less certain.

“While there has been speculation by various sources, based on our investigations to date, we do not have a definitive answer at this time. SolarWinds continues to work closely with federal agencies and third-party cybersecurity firms to determine the answer,” according to the site’s frequently asked questions. 

SolarWinds advises customers to operate Orion Platform versions 2019.4 HF 6 and 2020.2.1 HF 2 to be protected from both issues. 

FireEye also released new technical details about how SUNBURST evades forensic and antivirus tools. Researchers write that SUNBURST used “multiple obfuscated blocklists” to identify such tools and acts differently depending on what it finds. For example, if it finds a blocklisted process, SUNBURST pauses and tries again later, but if it finds a blocklisted service, it attempts to disable it. 

Hackers may have used Microsoft resellers to access Office 365 customers, according to a CrowdStrike blog published Dec. 23. Microsoft’s threat center warned the cybersecurity company that “a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago.” 

Microsoft said attempts to read CrowdStrike’s emails failed and CrowdStrike concluded it “suffered no impact.” The blog encouraged organizations to review Azure Active Directory environments and created a free community tool called CrowdStrike Reporting Tool for Azure on GitHub to review permissions and configuration settings. 

“It is critical to ensure you review your partner/reseller access, and you mandate multi-factor authentication (MFA) for your partner tenant if you determine it has not been configured. One of the reasons why these attack vectors are so difficult to mitigate is the inherent complexities that organizations face with federated SSO infrastructure and in managing Azure tenants,” CTO Michael Sentonas wrote. 

CISA released a new, free tool for incident responders working in Microsoft Azure and Office 365 environments. The agency’s Cloud Forensics team released the tool—called Sparrow—on GitHub to help detect users and applications that may have been compromised. The tool “is intended to narrow a larger set of available investigation modules and telemetry to those specific to recent attacks on federated identity sources and applications,” the description says.

The National Security Council reached out to Five Eyes intelligence partners last week about the hack, CNN reported Dec. 23. National Security Advisor Robert O’Brien proposed a joint statement condemning the activities, though it may not mention Russia. Secretary of State Mike Pompeo and Attorney General Bill Barr have publicly linked the campaign to Russia while President Donald Trump has suggested China could be behind it.