CNN: Foreign Hackers Breached Nine Organizations to Steal 'Key Data' from 'Sensitive Targets' (cnn.com) 28
"Suspected foreign hackers have breached nine organizations in the defense, energy, health care, technology and education sectors," reports CNN, citing their exclusive glimpse at findings from security firm Palo Alto Networks.
At least one of the breached organizations is in the U.S., they add, and in cooperation with America's National Security Agency (or NSA), security researchers "are exposing an ongoing effort by these unidentified hackers to steal key data from U.S. defense contractors and other sensitive targets." It's the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage. The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers' tools in the process... [T]he hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks, Ryan Olson, a senior Palo Alto Networks executive, told CNN. The intruders could then be well placed to intercept sensitive data sent over email or stored on computer systems until they are kicked out of the network.
Olson said that the nine confirmed victims are the "tip of the spear" of the apparent spying campaign, and that he expects more victims to emerge. It's unclear who is responsible for the activity, but Palo Alto Networks said some of the attackers' tactics and tools overlap with those used by a suspected Chinese hacking group... Cybersecurity firm Mandiant earlier this year revealed that China-linked hackers had been exploiting a different software vulnerability to breach defense, financial and public sector organizations in the US and Europe....
In the activity revealed by Palo Alto Networks, the attackers are exploiting a vulnerability in software that corporations use to manage their network passwords. CISA and the FBI warned the public in September that hackers were exploiting the software flaw and urged organizations to update their systems. Days later, the hackers tracked by Palo Alto Networks scanned 370 computer servers running the software in the US alone, and then began to exploit the software. Olson encouraged organizations that use the Zoho software to update their systems and search for signs of a breach.
Federal officials told CNN the revelation of the hacking activity is evidence of their close work with cybersecurity firms to stay on top of threats.
At least one of the breached organizations is in the U.S., they add, and in cooperation with America's National Security Agency (or NSA), security researchers "are exposing an ongoing effort by these unidentified hackers to steal key data from U.S. defense contractors and other sensitive targets." It's the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage. The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers' tools in the process... [T]he hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks, Ryan Olson, a senior Palo Alto Networks executive, told CNN. The intruders could then be well placed to intercept sensitive data sent over email or stored on computer systems until they are kicked out of the network.
Olson said that the nine confirmed victims are the "tip of the spear" of the apparent spying campaign, and that he expects more victims to emerge. It's unclear who is responsible for the activity, but Palo Alto Networks said some of the attackers' tactics and tools overlap with those used by a suspected Chinese hacking group... Cybersecurity firm Mandiant earlier this year revealed that China-linked hackers had been exploiting a different software vulnerability to breach defense, financial and public sector organizations in the US and Europe....
In the activity revealed by Palo Alto Networks, the attackers are exploiting a vulnerability in software that corporations use to manage their network passwords. CISA and the FBI warned the public in September that hackers were exploiting the software flaw and urged organizations to update their systems. Days later, the hackers tracked by Palo Alto Networks scanned 370 computer servers running the software in the US alone, and then began to exploit the software. Olson encouraged organizations that use the Zoho software to update their systems and search for signs of a breach.
Federal officials told CNN the revelation of the hacking activity is evidence of their close work with cybersecurity firms to stay on top of threats.
It's fairly clear that early in WW3 (Score:4, Insightful)
...nobody's shit will work. All the big countries have hacked all the other big countries. Better keep some analog planes and tanks around.
Re: (Score:2)
Breached 9+ DUMB organizations (Score:3)
Re: (Score:2)
Frak those Cylons! :P
Re: (Score:2)
I think what is 'fairly clear' is we are already fighting (or not) the early part of WW3 and virtual everyone's preference even the hawks like myself that pay it some lip service prefer to stick our fingers in our ears, shut our eyes and should 'la la la I can't hear you!"
Re: (Score:1, Flamebait)
Xi and Putie didn't try to invade the capital this January. WS's did.
Unfortunately, its true. (Score:3)
If you pay attention to all of the Ransomware events and see who has been had, and what happened during those and prior to those events, it is very clear that all of these networks have been p0w3nd or could be very easily.
One of the hallmarks of many of the latest ransomware incidents is that the access had been available to these crews for 6+ months. They infiltrate. They lay low. They exploit when they need to or hey sell the access. Many of these specific tasks are now being done by one or a small group of people, effectively crowdsourcing these attacks.
Why 6 months? The achilles heal of of most security systems is that it is expensive to store all of the logs. 3 months is about the extent most businesses keep logs. Most just let them roll over. The attackers use this as a technique to hide their tracks. No logs? No tracks.
It is a scourge with few success stories. Nothing is secure. There are no silver bullets to this mess.
--
We live in a rainbow of chaos. - Paul Cezanne
"It wuz haxx0rz!" the media-offensive (Score:4, Insightful)
The achilles heel of of most security systems is that it is expensive to store all of the logs.
No, it isn't. It's all text, extremely repetetive and predictable. Meaning it compresses extremely well. Telcos routinely store the logs of the control traffic of their mobile service towers for years. Which also happens to include SMS texts, so they're available for law enforcement. And can tell you where each subscriber was at a given moment. Disk is cheap, tape is cheaper, and you can fit fucktons of logs on even a single tape.
The problem is looking through the logs. Nobody wants to. So why keep it? Keeping data is a liability, so throw the logs away after an arbitrary while. Or a not-so-arbitrary while, if there's a law against data retention. Which I agree with, by the by.
The more important point is that apparently all sorts can just walk in on your network, find themselves a corner to hide in, and despite all your logs you still haven't noticed them in six months. Or a year, or two. How long is it going to take? That's the real problem.
In the meantime we're seeing another deluge of "it wuz dem dam furrin haxx0rz!" with accusations they rival NSA as the cherry on top. This is an orchestrated media campaign. Why? You tell me.
But this isn't news, we've known this for years. Why is this now being fed to the newsies piecemeal, dressed up like we're supposed to be outraged at it? You tell me.
Re: "It wuz haxx0rz!" the media-offensive (Score:2)
The problem is monitoring logs is a pain. You have to manually look for signs of an attack. A line you been haxxor3d doesn't show up. It shows up as file errors and access errors which then have to be filtered out from legitimate ones I hit you can access this document legitimately regularly. Am I a hacker or am I doing my job?
As for thwedia they are going to sources and asking questions. Those sources include who announced the issue. Since it is usually some government agency they are of course going t
Re: (Score:1)
There do exist various means to automate looking through the logs. Whether these bozos will use them is another issue. But as with terrorists and airports: If they're already in you've already lost. This is the cows coming home on insisting on using known-inferior unsecurable unmanageable software for your "network".
As to the media, you're thinking too simple. No company teams up with eight others to tell the media they've each been haxxen0red. This is some agency or other reaching out to the media. This is
Re: (Score:2)
I am sorry but yes it is. The sort of storage you need for event correlation and analysis is pretty high I/O. You are doing a lot of full text searching on usually not very consistent records. You will need 10s of terrabytes worth if you are really doing the level of logging you need for a large enterprise and that remains expensive.
logs on tape might as well not exist from defense and detection perspective. They might be forensically useful after you know there has bee a breach but they won't help you sto
Re: (Score:2)
It doesn't need to be enterprise-grade lose-this-data-and-we-are-toast.
Maybe and maybe not - integrity is really important. Availability is important, a serious threat actor might very well decide to target logging and monitoring systems, especially in a "I think I have been discovered, covering my identity is more important than maintaining access now, situation"
I agree you should be doing most of your correlation and normalization at ingestion time. If you are not you are loosing precious time to react to any alerts before the damage is done. However I don't for a second th
Zoho Software (Score:2)
Re: (Score:2)
TFA also reads "advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus."
At first glan
good argument (Score:2)
for not giving weapons to cyborgs
this is the most vague article ever (Score:2)
this is so vague then may have well have said there are bad people doing bad things
Re: (Score:2)
this is so vague then may have well have said there are bad people doing bad things
Wouldn't want the names of the companies which were compromised to be revealed. That would hurt their stock prices.
Re: (Score:2)
It should hurt their stock prices. If every company that got hacked took a momentary stock plunge, it would be a great incentive not to leave your systems unpatched. Covering for incompetency is not social justice.
Don't mention Windows (Score:2)
Buried in the details of the scoop... (Score:2)
The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers' tools in the process.
I'm going to assume that's true for the original disclosure but I have my doubts. Regardless, that's clearly not the case for this particular article.
The fact that Palo Alto Networks provided an *exclusive* to CNN regarding the hackery was made very clear upfront and Palo Alto Networks was specifically called out by name EIGHT times. What wasn't so #@$!@#$ clear was which piece of software we might all be concerned about. It was mentioned ONCE in the summary, but I had high hopes it received more promine
From which country? (Score:3)
All they would say is "It rhymes with a part of the female anatomy."
Timor-Leste?
Moldova?
Belarus?
Re: (Score:2)
WHY ARE THEY HOOKED UP TO THE INTERNET? (Score:2)
seriously.
leased lines should isolate infrastructure well enough.