Enlightening The Dark Halo Of Cybersecurity

This past month has been a dark tornado of activity. All those affected by Dark Halo have been frantically investigating systems and patching right as the entire United States prepare for Christmas in the middle of a pandemic. The anatomy of the attack provides a great deal of insight into the meticulous care placed into this operation.

The Threat of Dark Halo

To better understand the threat of Dark Halo, it is helpful to understand the routine security posture that has been in place up until now. Most networks are poorly defended against the threat of a determined cyberattack. For many American businesses, “good enough” has been the mantra. If a firewall is in place, a good antivirus is in place and the default installations of all components are in place then life is good. For a slightly better posture, a network monitoring tool from SolarWinds is installed so that service availability can be guaranteed.

Until now, most cyberattacks have been suboptimal programming designed to exploit exactly one or possibly two defects in software. A PHP exploit here and an IOS exploit there have been limiting the footprint of a cyberattack to a small handful of victims. Triaging such assaults limits the business impact and cost. Certainly, some larger impacts have occurred with ransomware victims. Still, the spread of ransomware has been limited to a small number of businesses. Typically, insurers and businesses have taken the stance that the ransomware exploited a common vulnerability and encrypted files to demand payment. Since the vulnerabilities were relatively common and the network oversight was lax, the fault has typically been placed on the business management. Similarly, the Experian attack was blamed on the incompetent CIO that had no background in IT.

SolarWinds and other companies have prided themselves in providing deep insight into network activities. Threats that occur are exposed and funneled by these monitoring tools to provide a level of aggregated intelligence into the collective network operations. When a potential ransomware threat is in progress, network operations personnel can swiftly respond to and eliminate that threat.

The Individuals Behind the Attack

All of this serves as a rather intense backdrop against the sophisticated and extreme assault on more than 18,000 companies. Combing through the details of this assault, one could almost imagine the JIRA board setup around this attack. The APT29 group meticulously crafted their assault to gain access to the network, extract the information and clean up any traces of their attack. Furthermore, the attack was so sophisticated that the trusted Multi Factor Authentication method of Duo was utilized without leaving any trace. This means that individuals with a high level of intelligence were used to create an attack onto the victim’s networks. To wit, this wasn’t a smash and grab by a low-level thug, this attack was planned by an Oceans 11 style team sponsored by Putin’s government.

Analyzing the Duo component reveals the deep level of understanding that the attacker has.

“Just about every federation protocol uses cryptography,” stated our Head of Development, Connor Peoples, “to validate the identity of the federation authority. When these keys are kept secure, an authentication token can be passed in the clear because the signature can be validated to prove that the contents were not manipulated.”

“In this case,” Peoples continues, “the attackers had the signing key which allowed them to forge their own authentication request through OWA as if Duo had acted. In SSO terms, this would likely have come across as an identity provider-initiated request instead of a service provider-initiated request. Microsoft, following the protocol, was able to validate the signed session information because the secret was no longer secret and had been used by a malicious third party. Therefore, Duo has no record of the login and Microsoft validated the request.”

This means that the attack against Duo can be utilized elsewhere. It is not really a flaw, per se. The system worked exactly as designed and architected. Again, the attacker has exploited a routine that works exactly as advertised. To defend against such threats, we must raise our standard of care against these state-sponsored threats. The Siriux Technologies scanning system enables a higher stance against these types of threats.

What Can Be Done From Here?

Therefore, the typical “good enough” stance towards information security is simply not good enough. The correct posture to defend against cyber warfare attacks is to implement modern security scanning and threat remediation protocols that elevate defense and threat awareness to the level that a network administrator can then immediately resolve it.

Dark Halo has raised the bar above and beyond anything that has previously been considered secure. Corporate and government networks require deep levels of scanning to test and resolve against prior and newly discovered threats. To go beyond good enough, we must consider all the actions that a potential threat actor may take. The information security posture going forward is one that must be architected to consider threat actors that are well versed in systems architecture. To outthink this enemy, we must utilize deep levels of knowledge that are readily available to us. By taking information security seriously, the defense of our users will go beyond Dark Halo.

The Siriux Technology scanners takes this threat seriously. Furthermore, it enables the knowledge transfer necessary to remediate and protect against these threats.

To see how Siriux can improve your security posture, schedule a demo with us.