White House Scales Back Response to SolarWinds & Exchange Server Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


White House Scales Back Response to SolarWinds & Exchange Server Attacks


Lessons learned from the Unified Coordination Groups will be used to inform future response efforts, a government official says.



The Biden administration has decided to stand down two emergency response groups recently established to drive a coordinated government response to the SolarWinds attack and exploits targeting critical Microsoft Exchange Server vulnerabilities.
Lessons learned from the two so-called Unified Coordination Groups (UCGs) will be used to help improve future government responses to major cyber incidents, said Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, on Monday.
Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures, Neuberger said in a
statement
.
The Trump White House established the
first UGC
in early January following news of the SolarWinds breach. The attack resulted in malware being distributed to some 18,000 organizations around the world including government agencies, private companies, and technology firms. The task force, comprised of security teams from the FBI, the DHS Cybersecurity & Infrastructure Security Agency (CISA), and the ODNI, was set up to drive a coordinated investigation and response for the attack, which involved federal government networks.
The Biden administration established a
similar UGC
in March, this time in response to news about
attacks
targeting four newly disclosed zero-day vulnerabilities in the widely used Microsoft Exchange Server. Unlike the first task force, this one also encouraged participation from private sector organizations.
Neuberger pointed to several lessons learned from the two UGCs in announcing the decision to wind them down. For example, by involving industry players and multiple legal authorities, the earlier UGC was able to accurately scope the SolarWinds attack and determine that fewer than 100 organizations were actually targeted in secondary attacks from a worst-case scenario of 16,800 organizations. This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities, Neuberger said.
Similarly, active partnerships with private companies resulted in the expedited availability of a one-click tool from Microsoft for simplifying and accelerating patching and cleanup efforts at organizations affected in the Exchange Server attacks. CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident, Neuberger noted.
Many security experts have described the attack on SolarWinds as one of the worst in recent memory. The attack, which the US government last week
formally attributed
to Russias Foreign Intelligence Service (SVR), has drawn widespread attention for the sophisticated malware used and extensive operational security that the attackers maintained throughout their campaign.
More than 18,000 organizations received malware hidden in legitimate updates of SolarWinds Orion network management software. A handful of them, including fewer than 10 US federal agencies and companies such as FireEye and Mimecast, were later subjected to further exploits and data theft. FireEye had a collection of its red-team tools stolen, and Mimecast said some of its source code was taken in the attack.
In identifying SVR as the mastermind behind the SolarWinds campaign, the US Treasury Department also announced sanctions against multiple Russian IT security firms for helping the intelligence service in its campaign.
The more recent attacks on Microsoft Exchange Server also evoked substantial concern because of how widely used the technology is within US government and private networks. A cyber espionage group called Hafnium, which Microsoft says is a state-sponsored group operating out of China, was believed primarily responsible for many early attacks targeting the four bugs in Exchange Server. However, by March, multiple attackers were believed to be exploiting the flaws to carry out a range of malicious activities including stealing copies of Microsoft AD databases, dumping credentials, moving laterally and writing web shells that future attackers can exploit — the most troubling finding, researchers say.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
White House Scales Back Response to SolarWinds & Exchange Server Attacks