I saved up the SolarWinds stories.
A fourth malware was found in the incident. Called Raindrop, it’s used after the Sunspot, Sunburst and Teardrop. It’s used very rarely, and has only been found four times, and can be used in place of Teardrop. Investigators are still unraveling all the differences between the two, but noted one key difference is a different deployment method, and hid as a 7-Zip file.
Malwarebytes is reporting they too were breached by the same hacking group, just not the same vector. They don’t use SolarWinds Orion. Instead, they were breached via an email protection product, and the hackers gained access to some internal company emails.
Microsoft is sharing how the hackers evaded detection. They were skilled operators. They hid their tools and binaries with matching files and programs on the compromised device. They built firewall rules to minimize noise before running network scans. They moved carefully around, disabling security on targeted hosts before the move. They disabled event logging before hands-on keyboard activity.. and then put it back when done.
Microsoft is also reporting about four distinct techniques used to bypass identity and access management protections to move from on prem to cloud Microsoft 365 accounts.
How big is it? The financial impact is still coming out, but insured losses now totals $90 million, and climbing. Some analysts even say it could have been far worse.
The incident is changing Congress’ approach to cybersecurity. The Biden administration has indicated this is a top priority, calling for $10B in spending, and a chunk of that for the CISA. Incoming chair of the Senate Intelligence Committee Mark Warner is planning to hold hearings and will look at a national, mandatory, data breach notification law.
Finally, a warning in Wired. Researchers say copycats are coming.
Why do we care?
Learning the details matter because of that last insight. We all need to get smarter about the risks and the strategies, because this is coming for us.