theDocumentId => 1340731 White House Scales Back Response to SolarWinds & ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/19/2021
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

White House Scales Back Response to SolarWinds & Exchange Server Attacks

Lessons learned from the Unified Coordination Groups will be used to inform future response efforts, a government official says.

The Biden administration has decided to stand down two emergency response groups recently established to drive a coordinated government response to the SolarWinds attack and exploits targeting critical Microsoft Exchange Server vulnerabilities.

Lessons learned from the two so-called Unified Coordination Groups (UCGs) will be used to help improve future government responses to major cyber incidents, said Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, on Monday.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," Neuberger said in a statement.

The Trump White House established the first UGC in early January following news of the SolarWinds breach. The attack resulted in malware being distributed to some 18,000 organizations around the world including government agencies, private companies, and technology firms. The task force, comprised of security teams from the FBI, the DHS' Cybersecurity & Infrastructure Security Agency (CISA), and the ODNI, was set up to drive a coordinated investigation and response for the attack, which involved federal government networks.

The Biden administration established a similar UGC in March, this time in response to news about attacks targeting four newly disclosed zero-day vulnerabilities in the widely used Microsoft Exchange Server. Unlike the first task force, this one also encouraged participation from private sector organizations.

Neuberger pointed to several lessons learned from the two UGCs in announcing the decision to wind them down. For example, by involving industry players and multiple legal authorities, the earlier UGC was able to accurately scope the SolarWinds attack and determine that fewer than 100 organizations were actually targeted in secondary attacks from a worst-case scenario of 16,800 organizations. "This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities," Neuberger said.

Similarly, active partnerships with private companies resulted in the expedited availability of a one-click tool from Microsoft for simplifying and accelerating patching and cleanup efforts at organizations affected in the Exchange Server attacks. "CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident," Neuberger noted.

Many security experts have described the attack on SolarWinds as one of the worst in recent memory. The attack, which the US government last week formally attributed to Russia's Foreign Intelligence Service (SVR), has drawn widespread attention for the sophisticated malware used and extensive operational security that the attackers maintained throughout their campaign.

More than 18,000 organizations received malware hidden in legitimate updates of SolarWinds' Orion network management software. A handful of them, including fewer than 10 US federal agencies and companies such as FireEye and Mimecast, were later subjected to further exploits and data theft. FireEye had a collection of its red-team tools stolen, and Mimecast said some of its source code was taken in the attack.

In identifying SVR as the mastermind behind the SolarWinds campaign, the US Treasury Department also announced sanctions against multiple Russian IT security firms for helping the intelligence service in its campaign.

The more recent attacks on Microsoft Exchange Server also evoked substantial concern because of how widely used the technology is within US government and private networks. A cyber espionage group called Hafnium, which Microsoft says is a state-sponsored group operating out of China, was believed primarily responsible for many early attacks targeting the four bugs in Exchange Server. However, by March, multiple attackers were believed to be exploiting the flaws to carry out a range of malicious activities including stealing copies of Microsoft AD databases, dumping credentials, moving laterally and writing web shells that future attackers can exploit — the most troubling finding, researchers say.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9983
PUBLISHED: 2021-07-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-25207
PUBLISHED: 2021-07-23
Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary code via the file upload to prodViewUpdate.php.
CVE-2021-20333
PUBLISHED: 2021-07-23
Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log entries to be split. This issue affects MongoDB Server v3.6 versions prior to 3.6.20; MongoDB Server v4.0 versions prior to 4.0.21; MongoDB Server v4.2 versions prior to 4.2.10;
CVE-2020-14032
PUBLISHED: 2021-07-23
ASRock 4x4 BOX-R1000 before BIOS P1.40 allows privilege escalation via code execution in the SMM.
CVE-2021-26799
PUBLISHED: 2021-07-23
Cross Site Scripting (XSS) vulnerability in admin/files/edit in Omeka Classic <=2.7 allows remote attackers to inject arbitrary web script or HTML.