Transcript
This transcript has been edited for clarity.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group. Joining me today is John Fokker, head of threat intelligence at Trellix. John, thank you for being here.
John Fokker: Hey, Mathew. Happy to be here, man.
Mathew Schwartz: So we're talking Midnight's Blizzard, the codename for a group formerly known as Nobelium, APT29 and Cozy Bear, which has been tied to some pretty high profile attacks, including one recently against Microsoft. Lots to discuss here, just to jump in feet. First, we have Microsoft recently coming out with more information about this attack, it's looking worse than it initially believed or feared. What are some of the big surprises from this attack? And then we're going to pull the lens back about what this group has been up to and how people can defend themselves.
John Fokker: Yeah, it's been fascinating to watch this, partly from the sideline, obviously, we cannot see what goes on into the Microsoft incident response office and all the defenders. But if I read the news that they published, and we look at the methodology that the threat actors have leveraged, it does scare me a little bit. For us, first and foremost, the security of customers and organizations is the number one priority. But I feel like there's almost also, the information that comes out is very sparse. It's very structured and I think I assume that there's a very, very capable and large legal team behind it that craftily weighs all the words that are used, because it's like: oh, no customer data was stolen. Okay, yeah, I understand that … but if they have certain source code, or they find a methodology to break into the customers anyhow, they don't need to have the customer data from the Microsoft network, they can just access the customers' network directly.
That's what we're seeing with the additional breaches of Okta and HPE. It is an interesting movement, I think from APT29, which is how it's been attributed by, I believe, the coalition of the U.K. and the U.S. and other Five Eyes countries, including the Dutch authorities, I think - that the SVR seems to have an interest into cloud access, and a lot of Microsoft stuff, which makes sense, because a lot of governments run on Microsoft software and it's complex, the cloud stuff is complex, and at the same time, it offers them a way in without using a lot of malware, which sets off a lot of security products, and they're targeting just weaknesses in the system. So I don't have all the details, but something tells me that they've been studying a lot of the materials that they have accessed, probably even going all the way back to SolarWinds.
Mathew Schwartz: A lot of great detail in there. As you mentioned, this isn't just Microsoft that has been hit by this group, which Western law or intelligence agencies have attributed to Russia's Foreign Intelligence Service, the SVR. We saw, as you say, Okta, HPE, and then back to SolarWinds. So a similar group, looking at getting access to code bases, stealing source code - like you say, that could give them ways in that people don't know about yet by studying potential vulnerabilities inside the source code. So, hard to future proof against these kinds of attacks? Hopefully, Microsoft is reviewing its code bases to see if there has been signs of tampering. What other questions would you have? You've highlighted some of them already, in terms of these carefully, apparently, parsed messages that had been put out by the hacked organizations.
John Fokker: I would encourage more transparency, because the organizations that are now at risk are not only - it's not just Microsoft themselves, there are a lot of governments and a lot of organizations at risk. And for me, as a security practitioner, if you look at the response that's happening, and the sparseness of some of the information and how comes out, how well weighted it is, I think it's time for organizations to wake up and to say like hey, it's great if we trust somebody, but how can we absolutely sure? Because, mind you, Microsoft came out with some advice and it's not to throw them under the bus, about zero trust authentication and all these methodologies that they themselves failed to implement, and they were breached. So it does show that it's very complex and be yeah, do you do what you say? I would encourage organizations to take a good look and look and if you use this infrastructure, are you going to 100% trust this organization? Or are you placing some additional safeguards for yourself?
Mathew Schwartz: Definitely. And one of the things that we saw based on what Microsoft has come out with is that the attackers were able to get access to a test account. I think there's questions about why this test account was able to be parlayed into such widespread access. As you mentioned, these are cloud services. And sometimes people might find features and functionality, I suppose, that weren't so documented. There was also password spraying attacks were used, as you say, you may have expected this sort of thing to get blocked, and yet it was effective. So obviously, some lessons to be learned there for any organization.
John Fokker: Oh, totally. It's quite interesting if you read it, how they go from a test account all the way up to a senior executives or being able to breach another company. So they're onto something. There's multiple ways of playing around with the password spray, and also using it to access other mail accounts. Because Office 365 does have a setting that allows for additional logging of unauthorized access. But if you turn that off, and what we often see with this threat actor, is they will then be able to access all these mail accounts from other accounts, and that's essentially what happened. So there are multiple-step guides to help this or tighten this up. As well as, it's not necessarily a product pitch where a vendor as well we offer an XDR solution. I can advise anyone who has additional solutions that allow for extensive logging: look for any tampering with the extensive logging for the Microsoft Outlook web services, as well as unauthorized accounts and any anomalies around login - for test accounts, zero trust authentication. If there's anything that is bypassing multi-factor authentication, these are all red flags that your XDR vendor should be able to provide for.
So us, just like many others, have the solutions in our XDR or Helix solution available to all these customers to apply, because then you have that guarantee. Well, not a guarantee, but you at least have more security and more visibility of anything suspicious that might happen and it prevents you from becoming the next victim of this.
Mathew Schwartz: One of the big takeaways, I think, from these sorts of attacks, is today it is maybe the SVR; tomorrow, it's a less capable intelligence agency, or it's a cybercrime group using similar tactics. This is the way of the world right?
John Fokker: Yeah, a key takeaway is that historically, we saw a lot of these APT actors leverage a lot of malware. Mind you, APT29 still does this. We still, on a daily basis, detect activity across multiple organizations, from governments to NGOs across the world, and it's predominantly led through phishing or spear-phishing attempts where they try to break in. And they do that with either Brute Ratel or Cobalt Strike beacons, and they go on and then to try to penetrate the whole network. But on the other hand, we see this divergence towards the cloud - what I mentioned earlier - where they go after infrastructure that is very lucrative, they don't necessarily need the same capability of malware-building that they do, so any attack that they might perform is less deterministic.
And if an organization does not have the proper safeguards in place, they can fly under the radar quite well, and for quite long. And they have seen it because luckily, like our Helix solution detected at the time was one of the things that detected SolarWinds. So these are things that if you do not have the proper controls in place, you will not notice this, and they can do whatever then, they can we get all the intelligence that they want. So that's, that's some of the things that we see - it's not really, yeah, you can call it a divergence or a different tactic but it's definitely something that's going on,
Mathew Schwartz: As you say: cloud environments, it's obvious why so many organizations have adopted them, they can bring some great upsides. But then you're saying that the use of these cloud environments can leave less residue when attackers come through less of a footprint unless you are taking these extra steps to do the logging and the monitoring. Is there enough discussion of this, do you think? A lot of people look at cloud and think: less to worry about. But I think we're still coming to grips with what it means to run on a really tight cloud security operation. In the States, we see CISA talking about logging and saying there needs to be a lot more of this because when things happen, you're not going to know what happened unless you've actually planned in advance what you're going to need to be reviewing. Sounds to me like, there's still a bit of a learning curve here.
John Fokker: Oh, totally, and when we talk about cloud, mind you, I don't only talk about the major cloud vendors that you might have, or just in this case, Microsoft 365. It could be any service that you're using that uses a cloud based infrastructure. So essentially, what we're faced with, if you had on-prem, you would have multiple software vendors and packages running in your network, but you have that zoned off of your firewall, you have some controls, there's a level of segmentation taking place. So yes, they could be vulnerable inside your network, as long as it was pretty much controlled. It's like being caught with your pants down, but the curtains are closed. That's the unethical analogy I'll use.
But with cloud, it's the opposite, right? There's no curtains, you're in a glass house. If you're caught with your pants down, everybody can see it. And there's more surfaces connecting to a network. So if you're a defender, you need to be able to interpret logs across multiple platforms almost seamlessly, and that's a huge challenge. Because it's not only they can go from SolarWinds, all the way into your network, and they can pivot into a Microsoft instance or an AWS instance for that matter, and you need to be able to cross-correlate these things.
And what we often see is that, yes, cloud providers, they do offer their own control set, but those control sets and logging facilities are not always matching others, so they're not synchronized. So you see that, for instance, CASB is a very interesting market for a lot of the cloud vendors and for us as well with our sister company Skyhigh, to get control over all these access methods. And that's why Helix also has all these connectors that we have, because we need to make sure that we can make sense of all this, because the big issue that we see now is collaboration security - attackers going through Teams or any other collaboration network and then dropping their malware payload, and then they can pivot into a network. You need to have visibility as a defender so that you're absolutely right, that cloud does come with a huge challenge in that way, but it's not impossible. It's just you have to be diligent about it.
Mathew Schwartz: Fantastic. Well, John, thank you so much for stepping me through what we've been seeing with these most recent nation state attacks, and what organizations should be doing to defend themselves.
John Fokker: Yeah, totally. We actually have a blog coming out on this and these attacks. If anyone wants, please check it out. It's very helpful. And you can apply if you look at the countermeasures that we apply, you can apply it to your own situation as well. So I would advise everybody to stay vigilant and prevent it to prevent becoming the next victim.
Mathew Schwartz: Excellent. Welcome advice. Thank you so much - John Fokker, head of threat intelligence at Trellix. It's a pleasure.
John Fokker: Thanks, Mat.
Mathew Schwartz: I'm Mathew Schwartz with ISMG. Thank you for joining us.