In the aftermath of two headline-grabbing attacks over the past six months, more high-profile security researchers and analysts are beginning to cast a wary eye at internal systems and technology tools.

The SolarWinds breach, a compromise of third-party software used to protect networks in the U.S. government and four-fifths of Fortune 500 companies, was discovered in December and continues to play out in terms of damage. That was followed by the discovery in March that four previously unknown or “zero day” or yet-undiscovered vulnerabilities had been found in Microsoft Exchange Server software, which is used by 57% of Cloud Exchange mailboxes and 43% of on-premises clients.

Nation-state threat actors were identified as behind both exploits, with Russian intelligence fingered for the SolarWinds breach and a state-sponsored group from China involved in the Microsoft campaign.

In both cases, commonly installed software was the target, leading some observers to wonder if the siege mentality that has gripped the cybersecurity world for years, designed to guard against governments and criminals storming the information technology ramparts, may have been misguided all along. The threat is already inside the castle walls.

There was much focus on protecting against nation-state attempts to disrupt the 2020 presidential election, and it turned out that Russia’s intelligence service was already busy deep within U.S. government networks.

“We all became election reporters last year and it turned out we were looking in the wrong place,” Nicole Perlroth, cybersecurity journalist for The New York Times, said during an appearance at the virtual RSA conference earlier this month.

Targeting developers

What the SolarWinds breach revealed was a hole inside a number of enterprise networks today. Security researchers from firms such as CrowdStrike Holdings Inc. and SentinelOne have closely analyzed the details around the highly sophisticated “SUNBURST” malware attack. They found that by lifting a single Security Assertion Markup Language or SAML token from a network administrator, an attacker could control both local network systems and cloud instances.

This approach, known as a “Golden SAML” attack, accesses on-premises servers and then jumps, via online access, into various services in the cloud. The result was a widespread compromise which potentially affected as many as 18,000 organizations.

“The SUNBURST adversaries went after core developers,” Marco Figueroa, principal threat researcher at Sentinel One, said during an analysis presented at RSA. “This is like Willy Wonka and they were in the Chocolate Factory. They had everything to pick from.”

The far-reaching consequences of the SolarWinds and Exchange vulnerabilities were nearly eclipsed in early May when a ransomware attack knocked out one of the nation’s largest refined gasoline pipelines. System operator Colonial Pipeline was forced to shut down operations after a successful ransomware intrusion disrupted its service for 45% of the East Coast’s fuel supply.

The attack not only led to long gas lines of frustrated motorists and truckers for much of the month, but it also exposed significant vulnerability within the country’s energy infrastructure.

“Part of it was a panic reaction, but ultimately the decision was made for them once the IT network was locked and they couldn’t bill,” said Kim Zetter, an investigative journalist who has covered cybersecurity since 1999. “It feels a little silly to still be talking about connectivity between IT and OT networks. The problem is they didn’t have a plan in place.”

Flawed architecture

The common thread among these high-profile attacks is that internal network architecture is providing a convenient channel for exploit by threat actors, who have been identified in the pipeline case as the cybercriminal gang in Russia known as DarkSide. Operational technology networks have become dependent on IT systems to deliver critical gas supplies, and online connectivity facilitated the Colonial pipeline exploit.

Vulnerability in energy infrastructure is not confined solely to the oil and gas industry. Disruption of the U.S. electric power grid could be next.

Researchers at the Georgia Institute of Technology have been examining the infrastructure of power generators across the U.S. and found that a well-designed botnet network could target specific electrical plants and affect service delivery.

The researchers concluded that attackers could rank system nodes based on voltage stability data and target the weakest sectors of the grid. Finding this information isn’t hard. There is a great deal of power generation data transmitted in real time on publicly available websites.

“Because we made everything smart, we increased attack vectors for cybercriminals around the world,” said Tohid Shekari, Ph.D. candidate and graduate research assistant at the Georgia Institute of Technology.

AI as potential threat

Smart technology itself, increasingly being deployed across government and private sector systems, may soon create new webs of vulnerability, according to a number of leading cybersecurity researchers.

The problem is twofold: Hackers will ultimately begin using artificial intelligence against systems and there is concern that an inability to quickly spot flaws in machine learning models could create even more vulnerabilities.

It would be naïve to believe that criminal hackers, who have already built help desk support operations and a vast marketplace for “plug and play” intrusion tools, would not find a way to use AI for attacks.

“My guess is this isn’t very far off, and we had better start thinking about its implications,” said security technologist Bruce Schneier. “As AI systems get more capable, society will cede more and more important decisions to them, which means that hacks of those systems will become more damaging.”

There is also concern within the cybersecurity community that growing use of machine learning could be opening new avenues of exploit for threat actors. Adi Shamir, professor at the Weizmann Institute in Rehovot, Israel, and a co-founder of RSA, has been analyzing the fragile state of neural networks and recently published a paper on his findings. The cybersecurity researcher does not like what he sees.

“Machine learning at the moment is totally untrustworthy,” said Shamir, during an RSA conference discussion. “We don’t have a good understanding of where the samples come from or what they represent. I would be very worried about deploying any kind of big machine-learning system that no one understands, and no one knows in which way it might fail.”

Crypto hacking

Even the world of decentralized finance, touted by some as the transactional future, is dealing with questions around the security of computerized tools that drive the cryptocurrency market.

Cryptocurrency exchanges have been targeted by hackers and their efforts have paid off. The five largest crypto hacks to-date, which exploited hot wallets and mining marketplaces, totaled $1.3 billion.

While investigating security on the Ethereum blockchain, researchers at Independent Security Evaluators discovered the digital fingerprints of a single bandit who has managed to steal $54 million of the cryptocurrency. It was a successful heist because of software programming errors in the generation of private keys that made them easily discoverable.

Adrian Bednarek, now a security researcher at Overflow Labs, originally published ISE’s findings in a 2019 whitepaper and presented an update during the recent RSA Conference. The number of private keys discovered increased from 732 to 859, representing a total of 56,730 Ethereum blockchain transactions today.

“Through our testing we found that this was being exploited actively in the wild,” said Bednarek. “We could have looted close to $400,000 in 2019, but somebody else was doing that.”

Global spending on information security and risk management services is expected to exceed a record $150 billion in 2021, according to a recent Gartner report. Meanwhile, Cybersecurity Ventures published a study in November that indicated the cost of cybercrime will rise to $10.5 trillion annually by 2025.

The return on cybersecurity investment appears to be diminishing fast. Perhaps the enterprise world should consider the advice of noted cryptographer Whitfield Diffie, who made a brief appearance during RSA. Asked what advice he would put on a bumper sticker, Diffie simply replied: “Unplug it, baby!”

Photo: Hennie Stander/Unsplash