Written by Ron Williams, CTO, InfoSec Global
Consistent patterns of State sponsored cyber intrusions targeting cybersecurity operations, connectivity applications, and infrastructure, have been observed over the past 18 months by threat intelligence organizations. These patterns demonstrate an interest from bad actors in compromising their targets in a persistent manner. Some of the trusted building blocks of connectivity including DNS provisioning, VPN software, configurable network devices as well as the theft of security service providers’ Red Teaming tools having been recent targets. Perhaps most significant however, was the late 2020 discovery of hijacking of the software supply chain for a widely deployed (almost de facto adopted in government deployment) network security monitoring software.
The compromise of the software supply chain and of a strategically important vendor was both sophisticated and only the latest in a significant list of such software supply chain compromises. One of the most notorious of these was the compromise of the software supply chain for a de facto Ukranian tax accounting package. The compromise of this software became the exploit vector that released the Not Petya malware into the wild.
This attack was a multi-pronged and multi-target intrusion that exploited default or weak cryptographic parameters that ultimately enabled the forging of privileged credentials. While better cryptography was available in the compromised applications, weak cryptographic default parameters are often resident in trusted libraries. It was this misplaced trust that enabled bad actors to control target systems. These multi-stage intrusions include separate intrusion into the vendor’s software version and release update services and in turn the compromise of customer’s authentication infrastructure using its signing infrastructure and forged cryptographic keys.These keys were used to create a back door into the vendor’s systems and into the systems of those customers who had applied the compromised update.
This latest, wide-scale, software supply chain intrusion and compromise highlighted a type of vulnerability that exists, but is largely hidden or unknown in most organizations. Bad actors like Cozy BearAPT 29 are increasingly seeking to misuse and steal digital keys and certificates. Without a means to identify and monitor how cryptography and its components are configured across the enterprise and it’s cloud properties, organisations have no scalable means to mitigate these kinds of attacks.
Manual inspection, verification, and cataloguing of the cryptography used across systems, applications, data, and cloud environments, is today the only means by which to mitigate this kind of cryptographic attack.Without this visibility and a policy to guide effective cryptographic configuration, organizations cannot know whether their crypto supported applications, web servers, data servers, cloud servers, etc. – are using the best or the worst configurations of cryptography. In this ongoing and apparently state-sponsored intrusion, these vulnerabilities appear to have enabled a brute force attack against the authentication system, resulting in privilege escalation and forged identities. The Department of Homeland Security(DHS) has provided guidance that treats all systems managed by the vendor as compromised.
The DHS Guidance is extensive and has broad implications for the remediation effort. According to DHS Guidelines for US Government systems – all systems must be forensically examined for artifacts of the attack. Until a managed system can be declared ‘clean’ – it must be removed from any network communications. This implies thousands of systems will remain off-line and non-productive until remediated.This is not a process that is likely to be completed anytime soon.
The ‘forgotten’ importance of Cryptographic Lifecycle Management
The on-going impact of these intrusions is detrimental to major US government organizations and toGlobal 1000 Customers of the vendor. Weak cryptography is a favourite target of attackers when privilege escalation and system control is the objective However, with visibility into an organization’s cryptographic infrastructure, these types of exploit can be mitigated before they start. An organization that can gather and analyze cryptographic configuration across their enterprise, can eliminate support for weak cryptography, whether in chosen key lengths, or enciphering, hashing, or signature algorithms.
Enterprises or vendors: how can you protect your organization and mitigate future threats?
In an increasingly cloud enabled world where automation is everywhere, crypto necessarily is also everywhere. This increasingly complex and interdependent world demands Automated Cryptographic Infrastructure Management. Missing from most security operations today is both the visibility into and the ability to manage our cryptographic policy as we do our firewall, identity, and other security policies.
Security researchers believe that this attack would have failed if the compromised authentication systems had been configured according to best practices.
What should you do next?
1. Scan all network servers to identify supported cryptographic suites and protocols.
2. Scan all hosts of interest to identify existing cryptographic elements and their configuration, cryptographic keys, signatures, certificates, libraries, and pkcs11 providers.
3. Assess collected data against company cryptographic policy and best practices
4. Prioritize remediation of obsolete cryptographic elements, ciphers, hash and signature methods, public, private, and symmetric keys.
5. Effect Remediation.
And perhaps the most important,
6. Periodically monitor, evaluate, and remediate as needed cryptographic infrastructure supporting essential business services.
These 6 actions will give organizations confidence that best practice is not only identified but also being met. The level of visibility that is enabled through Cryptographic Lifecycle Management is the ultimate governance assurance capability needed to ensure crypto resilience – an increasingly critical component of our cloud-enabled world.
Questions? We’d love to chat – Contact us at info@infosecglobal.com.
