Ongoing compromises of security software firms have created an urgent need for greater transparency and discussions about “international norm setting”, a senior United States senator has warned as security firm Mimecast becomes the latest software provider to be compromised by Russian hackers.
Mimecast, whose email filtering and staff security training tools are used by around 36,000 companies worldwide, announced this week that a “sophisticated threat actor” had compromised a digital certificate used by around 10 percent of its users – potentially allowing hackers to intercept the connection.
The company was keeping mum on details, but Reuters quoted cybersecurity investigators who attributed the hack to the same Russian hackers that recently compromised up to 18,000 government agencies and businesses by inserting malicious code into the widely used Orion security tool from vendor SolarWinds.
The incident sparked a flurry of in-depth security investigations, prompted warnings from the Australian Cyber Security Centre (ACSC) and US Cybersecurity & Infrastructure Security Agency (CISA) and US intelligence agencies, and sent companies scrambling to evaluate their exposure to the breach.
With Mimecast now compromised and researchers again pointing the finger at Russia, politicians like US Senator Mark Warner are calling for greater transparency and some frank discussions about the real extent of the threat posed by such hacks.
“We need to at least start with how we define where this falls on the [cybercrime] continuum,” Warner – vice chair of the US Senate Intel Committee – said during an Aspen Institute webinar the day after he and hundreds of his colleagues were caught up in this month’s chaos at the US Capitol.
“It’s not a NotPetya, denial of service, complete takedown of our system,” he said in reference to the devastating 2017 attack also attributed to Russian hackers, “but I do think we have to decide whether this is within the bounds of acceptable espionage.”
“Countries spy on each other, but the volume… and the level of sophistication ought to be alarming to all of us.”
Countries that have been attacked in similar ways should come forward “so that we can create some level of international norm setting and some rules of the road,” he said, calling for a “full review” of the patchwork of breach reporting laws that he said were allowing US companies to bury details of cybersecurity compromises.
Running to catch up
Australian organisations including NSW Health, Rio Tinto and Serco were among those named early on as victims of the SolarWinds hack, but security researchers are still expanding the list of victims as they work through the malicious code.
If the level of post-SolarWinds concern is anything to go by, the compromise of Mimecast’s software – and official warnings that other companies’ software may also have been compromised – will be causing consternation amongst corporate users that rely on their software vendors to provide clean applications.
Security expert Kevin Mandia – the CEO of FireEye-owned security firm Mandiant who received a postcard from Russian-linked hackers after his firm uncovered the SolarWinds hack – warned that the task of scanning applications was immense and complex.
The SolarWinds Orion package comprises around 14GB of data spread across some 18,000 files, Mandia said, pointing out that it took “thousands of hours of forensics” – initiated after his firm noticed a series of suspicious logins – before the company’s cybersecurity investigators even pointed the finger at the Orion application.
It was only “after exhausting virtually every other means of entry”, he said, that it was clear they would need to reverse-engineer the platform.
“Most companies use hundreds or thousands of people’s software,” Mandia explained, “and to decompile it, reverse-engineer it and find malware in it when the malware is obfuscated is not a simple task.”
“It’s not where you would start – and that’s the key to this. There’s no magical wand that finds back doors in software that we all purchase and trust.”
The potential scope of the breaches reinforces the efforts of software developers and security specialists to improve the documentation of the myriad components – both proprietary and open-source – that go into today’s software.
Projects such as the NTIA Software Component Transparency project aim to simplify the task using software bills of materials (SBOMs) that would help security specialists better take inventory and analyse the components of vulnerable software packages.