Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/19/2021
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

White House Scales Back Response to SolarWinds & Exchange Server Attacks

Lessons learned from the Unified Coordination Groups will be used to inform future response efforts, a government official says.

The Biden administration has decided to stand down two emergency response groups recently established to drive a coordinated government response to the SolarWinds attack and exploits targeting critical Microsoft Exchange Server vulnerabilities.

Lessons learned from the two so-called Unified Coordination Groups (UCGs) will be used to help improve future government responses to major cyber incidents, said Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, on Monday.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," Neuberger said in a statement.

The Trump White House established the first UGC in early January following news of the SolarWinds breach. The attack resulted in malware being distributed to some 18,000 organizations around the world including government agencies, private companies, and technology firms. The task force, comprised of security teams from the FBI, the DHS' Cybersecurity & Infrastructure Security Agency (CISA), and the ODNI, was set up to drive a coordinated investigation and response for the attack, which involved federal government networks.

The Biden administration established a similar UGC in March, this time in response to news about attacks targeting four newly disclosed zero-day vulnerabilities in the widely used Microsoft Exchange Server. Unlike the first task force, this one also encouraged participation from private sector organizations.

Neuberger pointed to several lessons learned from the two UGCs in announcing the decision to wind them down. For example, by involving industry players and multiple legal authorities, the earlier UGC was able to accurately scope the SolarWinds attack and determine that fewer than 100 organizations were actually targeted in secondary attacks from a worst-case scenario of 16,800 organizations. "This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities," Neuberger said.

Similarly, active partnerships with private companies resulted in the expedited availability of a one-click tool from Microsoft for simplifying and accelerating patching and cleanup efforts at organizations affected in the Exchange Server attacks. "CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident," Neuberger noted.

Many security experts have described the attack on SolarWinds as one of the worst in recent memory. The attack, which the US government last week formally attributed to Russia's Foreign Intelligence Service (SVR), has drawn widespread attention for the sophisticated malware used and extensive operational security that the attackers maintained throughout their campaign.

More than 18,000 organizations received malware hidden in legitimate updates of SolarWinds' Orion network management software. A handful of them, including fewer than 10 US federal agencies and companies such as FireEye and Mimecast, were later subjected to further exploits and data theft. FireEye had a collection of its red-team tools stolen, and Mimecast said some of its source code was taken in the attack.

In identifying SVR as the mastermind behind the SolarWinds campaign, the US Treasury Department also announced sanctions against multiple Russian IT security firms for helping the intelligence service in its campaign.

The more recent attacks on Microsoft Exchange Server also evoked substantial concern because of how widely used the technology is within US government and private networks. A cyber espionage group called Hafnium, which Microsoft says is a state-sponsored group operating out of China, was believed primarily responsible for many early attacks targeting the four bugs in Exchange Server. However, by March, multiple attackers were believed to be exploiting the flaws to carry out a range of malicious activities including stealing copies of Microsoft AD databases, dumping credentials, moving laterally and writing web shells that future attackers can exploit — the most troubling finding, researchers say.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36388
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2020-36389
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2021-32575
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
CVE-2021-33557
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.