Solarwinds Hack and VMware Vulnerability

U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks.

On Dec. 7, 2020, the NSA said “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication.”

VMware released a software update to plug the security hole (CVE-2020-4006) on Dec. 3, and said it learned about the flaw from the NSA.

The NSA advisory (PDF) came less than 24 hours before cyber incident response firm FireEye said it discovered attackers had broken into its networks and stolen more than 300 proprietary software tools the company developed to help customers secure their networks.

On Dec. 13, FireEye disclosed that the incident was the result of the SolarWinds compromise, which involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for users of its Orion network management software as far back as March 2020.

In its advisory on the VMware vulnerability, the NSA urged patching it “as soon as possible,” specifically encouraging the National Security System, Department of Defense, and defense contractors to make doing so a high priority.

The NSA said that in order to exploit this particular flaw, hackers would already need to have access to a vulnerable VMware device’s management interface — i.e., they would need to be on the target’s internal network (provided the vulnerable VMware interface was not accessible from the Internet). However, the SolarWinds compromise would have provided that internal access nicely.

In response to questions from KrebsOnSecurity, VMware said it has “received no notification or indication that the CVE 2020-4006 was used in conjunction with the SolarWinds supply chain compromise.”

VMware added that while some of its own networks used the vulnerable SolarWinds Orion software, an investigation has so far revealed no evidence of exploitation.

“While we have identified limited instances of the vulnerable SolarWinds Orion software in our environment, our own internal investigation has not revealed any indication of exploitation,” the company said in a statement. “This has also been confirmed by SolarWinds own investigations to date.”

On Dec. 17, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) released a sobering alert on the SolarWinds attack, noting that CISA had evidence of additional access vectors other than the SolarWinds Orion platform.

CISA’s advisory specifically noted that “one of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).”

Indeed, the NSA’s Dec. 7 advisory said the hacking activity it saw involving the VMware vulnerability “led to the installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.”

Also on Dec. 17, the NSA released a far more detailed advisory explaining how it has seen the VMware vulnerability being used to forge SAML tokens, this time specifically referencing the SolarWinds compromise.

Asked about the potential connection, the NSA said only that “if malicious cyber actors gain initial access to networks through the SolarWinds compromise, the TTPs [tactics, techniques and procedures] noted in our December 17 advisory may be used to forge credentials and maintain persistent access.”

“Our guidance in this advisory helps detect and mitigate against this, no matter the initial access method,” the NSA said.

Reference full article at:

Next Generation Firewalls

We are excited to discuss next generation firewalls for small businesses. We will include brief overviews of the Fortinet 40F, SonicWall TZ 350, Sophos XG 106, and WatchGuard T35 firewalls. First off, every small business needs to have a firewall implemented to prevent data loss, provide VPNs for remote work and to give IT professionals a way to manage devices on your network. The Fortinet 40F provides 5 Gigabits per second speed and offers the new SoC SD-WAN ASIC processor for faster performance and ultra-low latency. The SonicWall TZ 350 provides a higher number of SSL VPN licenses and provides a cloud-based sandbox when an identified threat is noted. The Sophos XG 106 provides larger onboard RAM and has an integrated SSD. The WatchGuard T35 provides the scalability to your business without ripping out existing network security devices, if you are envisioning fast growth into the future. If you’re not sure which device you need, reach out to Cuevista today. We are here to secure and provide availability to your business’s sensitive data.

Cross Platform Mobile Apps

The days of cross platform mobile app languages are here and they are flourishing for faster development. These types of languages allow you to program once for Android and Apple devices. There are three popular languages for App development and those are Xamarin, React Native and Flutter. We would like to add there are many others; however, we will just be discussing the most popular. All three languages are open source platforms and provide native functionality where applicable for Android or Apple devices. Xamarin is a framework by Microsoft that allows the programmer to build Apps with C# and the .Net framework. React native is a framework by Facebook that allows the programmer to build apps with JavaScript. Flutter is a framework by Google that allows the programmer to build Apps with Dart. All three are great options, but some are more efficient than others based on your project requirements (i.e. Graphics, Code Reusability, Native Functionality, etc.). These popular cross platform mobile app languages all have their pros and cons, but with the right selection your project will run and perform flawlessly.

Docker or Kubernetes

Virtualization with Docker or Kubernetes. Both solutions are operating system level virtualization that runs software packages called containers. This type of virtualization of resources is the latest trend for spinning up a web server, website, database, etc. The Docker concept originated on Linux; however, Microsoft has implemented its own concept called Kubernetes that takes the guess work out of resource allocation when deploying a container. The primary difference between them is the Docker environment is designed to run on a single node and Kubernetes is designed to run on a series of nodes. Both of them are great virtualization options with Docker leaning towards small business solutions and Kubernetes leaning towards enterprise solutions; however, a new product called Docker Swarm is on the horizon to give Microsoft a run for its money. Also, we will note both solutions can be ran together.

Automation with Powershell

Get started with windows automation with these 5 helpful cmdlets for Powershell:

1. Get-Help – it allows a user to see what a specific cmdlet does.

2. Get-Command – this is very helpful when troubleshooting in a shell and searching modules.

3. Get-ChildItem – this cmdlet lists items inside of a folder.

4. Foreach-Object – is used to process objects through script block and/or calling a property or method directly.

5. Get-Member – this cmdlet displays the properties of a folder object.

By using PowerShell automation can be a few keystrokes away.