Who knew Uncle Sam had strike teams for SolarWinds, Exchange flaws? Well, anyway, they are disbanded

Lessons learned and mission accomplished, apparently

The US government's response groups for dealing with recent SolarWinds and Microsoft Exchange vulnerabilities have reached the end of the road.

In a statement on Monday, US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said the two Unified Coordination Groups (UCGs) formed in January and March respectively will be disbanded.

"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," said Neuberger.

The SolarWinds incident, disclosed last December and subsequently attributed to the Russian Foreign Intelligence Service (SRV), involved the hacking of SolarWinds' Orion IT management platform and is believed to have compromised at least nine federal agencies and about 100 private sector organizations.


It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US


Last week, US President Joseph Biden announced sanctions against Russia for interference in the 2020 US elections and involvement in the SolarWinds attack, among other things.

The Microsoft Exchange flaws – four zero day vulnerabilities fixed in March and two more patched last week – were initially attributed to hackers in China. But subsequent reports showed multiple hacking groups taking advantage of the bugs. Last month, National Security Advisor Jake Sullivan declined to say whether China was to blame and said the scope of the attack is still being investigated.

The US government's decision to wrap up its intervention efforts follows vulnerability analysis provided by the National Security Agency to Microsoft and the Federal Bureau of Investigation's extraordinary court-approved intervention to shut down web shells installed on compromised Exchange servers.

The two UCGs may be dissolved, but Neuberger argues that they won't be forgotten and that what was learned from the response groups will help future government cybersecurity initiatives. She also observed that the federal effort to narrow the more than 16,000 potential SolarWinds targets down to about 100 private sector organizations helped illuminate and mitigate the attacks.

"While this will not be the last major incident, the SolarWinds and Microsoft Exchange UCGs highlight the priority and focus the Administration places on cybersecurity, and at improving incident response for both the US government and the private sector," said Neuberger.

In an email to The Register, Ed Skoudis, founder of penetration testing biz Counter Hack and Fellow at the SANS Institute, said the attacks were extraordinary in their breadth and scope.

"A bunch of government agencies learned a tremendous amount in coordinating analysis and response for it, especially CISA," he said. "I really do think that the relationships built in coordinating this response among government agencies and the private sector will serve us well in future attacks, which are inevitable. We’ll be better prepared next time around in responding."

At the same, Skoudis remains concerned that improved response capabilities won't help detect or prevent attacks of this sort.

"It’s a really hard problem to solve given the complexity of modern software development environments and the subtlety of very advanced nation-state attackers," he said. ®

Broader topics

Other stories you might like

  • Governments opt for XaaS, dump datacenters in droves
    Outsource all the things! To whom? The lowest bidder of course, says Gartner

    The world's governments are eager to let someone else handle their IT headaches, according to a recent Gartner report, which found a healthy appetite for "anything-as-a-service" (XaaS) platforms to cut the costs of bureaucracy.

    These trends will push government IT spending to $565 billion in 2022, up 5 percent from last year, the analyst house claims. Gartner believes the majority of new government IT investments will be on service platforms by 2026.

    "The pandemic sped up public-sector adoption of cloud solutions and the XaaS model for accelerated legacy modernization and new service implementations," Gartner analyst Daniel Snyder said in a release. "Fifty-four percent of government CIOs responding to the 2022 Gartner CIO survey indicated that they expect to allocate additional funding to cloud platforms in 2022, while 35 percent will decrease investments in legacy infrastructure and datacenter technologies."

    Continue reading
  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading
  • Concerns that £360m data platform for NHS England is being set up to fail
    Delays said to favor Palantir as health service seeks suppliers to support its top-down data revolution

    The top-down approach to the procurement of a £360 million data platform for NHS England is said to favor incumbent supplier Palantir as fears grow the project could be making the same mistakes that led to the failure of the country's infamous £10 billion National Programme for IT.

    Reports emerged recently showing that the secretive spy-tech business was making the competition, launched in April this year, a "must-win deal" following its recruitment of Indra Joshi and Harjeet Dhaliwal, key figures in NHS England's data science and AI teams.

    Continue reading

Biting the hand that feeds IT © 1998–2022