Gregory C. Rasner - Cybersecurity and Third-Party Risk

When an infected file was downloaded and run, the correct VGCA program ran along with the malware. This masqueraded the trojan to the end user because they saw the normal program running correctly, being unaware of the trojan or unlikely to look for it because the program appeared to be running normally. The file eToken.exe extracted a Windows cabinet file (.cab), which was used as an archive file to support compression and maintain archive integrity. The file 7z.cab was the file that contained a backdoor for the attackers to exploit. The attackers went to great lengths to ensure that the backdoor ran, regardless of the user's privileges on the device.

If the 7z.cab file was able to run as an administrator on the machine, the program wrote the backdoor to c:\Windows\appatch\netapi32.dll, which then registered it as a service to ensure it kept running after any reboot. On a device that only allowed the file to run as a normal user, the install placed it in a temporary directory, but the program scheduled a task to ensure its persistence. ESET named this backdoor PhantomNet. They mentioned that the victim list included the Philippines, but no evidence was found of a delivery mechanism.

The trojan was determined to be a simple program, and according to the sophistication of the attack, it is likely there were other more malicious plugins added to exploit the backdoor. When the victim's web configuration was determined, then it reached out to a command and control (C&C) server to get instructions. Communications with the C&C servers was done over HTTPS (secure, encrypted web traffic), and the attackers went to the trouble of preventing the interception of traffic (i.e., man‐in‐the‐middle attack on their own data) by using their own certificates.

Data analysis indicates that the malware was used for lateral movement. Once inside the computer, it enabled the attacker to move around the network for other data. The malware collected and transferred information about the computer, user accounts, and victim. In the post‐attack forensics, no data was discovered nor was the goal of the attack.

ESET wrote on its website:

Conclusion: With the compromise of Able Desktop, the attack on WIZVERA VeraPort by Lazarus and the recent supply‐chain attack on SolarWinds Orion, we see that supply‐chain attacks are a quite common compromise vector for cyberespionage groups. In this specific case, they compromised the website of a Vietnamese certificate authority, in which users are likely to have a high level of trust. Supply‐chain attacks are typically hard to find, as the malicious code is generally hidden among a lot of legitimate code, making its discovery significantly more difficult.

On January 2, 2020, Zyxel (networking device maker) announced over 100,000 of their firewalls, VPN gateways, and access point controllers (i.e., Wi‐Fi controllers) contained a hardcoded administrator backdoor account, which gives root‐level access (i.e., a super administrator that can do anything on the device) on both the secure shell (SSH) and web administrator portal. This is on top of a previous similar incident with Zyxel in 2016, where they had a backdoor that allowed any user to escalate their account to root‐level account privileges. This backdoor is still being exploited by botnets to this day, four years later.

A hardcoded backdoor root account is one that cannot be underestimated in how critical the security flaw is. When an account is built within the code of a product, it cannot be removed unless the code itself is changed or updated by the manufacturer. Additionally, the root account is what is referred to as a “super user,” which has privileges as an administrator. The products affected the manufacturers Advanced Threat Protection (i.e., firewall), Unified Security Gateway (i.e., hybrid firewall/virtual private network [VPN] gateway), USG FLEX (i.e., hybrid firewall/VPN gateway), VPN, and NXC (i.e., Wi‐Fi access point controller) series. These devices formed the perimeter and internal security control points for thousands of companies worldwide. The attacker's ability to exploit these network devices most assuredly gives them lateral access into the victim's network. At the time of this backdoor announcement, Zyxel offered patches for all of the products except for the NXC series; it is not producing a patch for another four months.

The expected patch release is April 2021. Until then, the only option for organizations is to unplug and replace the devices to ensure security posture.

The hardcoded user account “zyfwp” and password “PrOw!N_fXp” were stored in visible plaintext (i.e., unencrypted or obfuscated). Dutch researchers reported that the password was clearly visible in the code binaries. Apparently the account had the root‐level access to install firmware updates. In the previous 2016 incident, a hacker would've needed to already have a user account on the device to exploit it and to become a super user. In that instance, the root account is directly accessible on HTTPS (port 443) connection to the device.

According to Zyxel's website, “A hardcoded credential vulnerability was identified in the ‘zyfwp’ user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.” A search on Shodan (a search engine that can find computers and devices connected to the internet) shows nearly 30,000 of these devices deployed in Russia; 5,000 in Taiwan, Germany, and Finland; with nearly 3,000 in the United States.

Starting in early December 2020 and into early 2021 ( January 2), there were four major third‐party (supply‐chain) attacks and vulnerabilities announced in the span of 20 days. These attacks or vulnerabilities went on for months or longer. Evidence in the SolarWinds and Vietnam attacks pointed to advanced persistent threats launching into the weaponization of the supply chain. In two of the cases, the attacks were directed at nearly a whole country (Vietnam through the VGCA, and Mongolia through the Able Desktop). In three of the instances, the attackers were all APTs and were stealthy enough to remain undetected for months or longer. These attackers have seen what they can do with the weakest links—vendors—to get to a wide range of targets.

Chief Information Security Officers (CISOs) at Fortune 500 companies have spent billions of dollars in the last decade securing their networks from such breaches. Some great tools have been implemented, like Intrusion Detection/Prevention Systems (IDS, IPS), Cloud Access Security Broker (CASB), Privileged Access Manager (PAM), Security Information and Event Management (SIEM), and Security Operations Centers (also referred to as Cyber Fusion Centers) have been built to track and eliminate threats. However, the level of breaches in 2020 continued to increase exponentially. The number of third‐party breach instances grew because every company is some other company's vendor. As the number of these breaches increased, it meant another vendor with hundreds, thousands, or millions of customers became a victim as well.

Public law enforcement is also sounding the alarm. On December 8, 2020, at the American Bankers Association (ABA) Financial Crimes Enforcement Conference, FBI Director Christopher Wray stated, “The financial sector has the most robust cybersecurity of any industry,” which is why cybercriminals try third‐party channels. Banks can also be affected by ransomware targeting third parties, a threat that Wray said “may be somewhat underestimated by a lot of people.” While he specifically called out financial firms, the same could be said of many other sectors, including aerospace, energy, technology, biotech, and others, which generally have excellent security on their own company's assets. Most of the victims of the SolarWinds attack have been in the technology and government sectors, which typically have had good‐to‐excellent security. In those cases, hackers will target the weakest link, attacking vendors who take security less seriously.