treasury – Techdirt (original) (raw)

DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later

from the holy-shit-this-is-bad dept

Welp. Everything is compromised. Again.

Reuters was the first to report suspected Russian hackers had gained access to hundreds of SolarWinds customers, including US government agencies.

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.

[…]

The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.

A full report by FireEye (which was also a victim of this hacking) details the process used to gain illicit access, which involved leveraging bogus signed components crafted by the hackers and distributed by an unaware SolarWinds. The widespread hacking campaign may have begun as early as March of this year. That it was only discovered now means the fallout from this will continue for months to come.

Here’s how the backdoor works, according to FireEye:

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.

After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

SolarWinds boasts over 300,000 customers, including 425 Fortune 500 companies, all ten of the top ten telcos, the Pentagon, State Department, NSA, DOJ, and the White House. Its long list of customers (which now returns a 404 error) all but ensures every passing hour will add another victim to the list.

According to SolarWinds’ post-attack-discovery SEC filing, it believes only a small percentage of its customers are affected. But even a fraction of its users is still a gobsmacking number of potential victims.

On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.

The attack is serious and widespread enough that the DHS’s cybersecurity arm has issued a warning — one that says the only proven way to mitigate damage at this point is to disconnect affected hardware from the internet and pull the plug on Orion software. The CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive says this is a persistent threat — one not easily patched away.

CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:

CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.

The directive goes on to mandate reporting on infected systems and for affected agencies to assume the system remains compromised until CISA gives the all-clear. Unfortunately, this grave warning comes from an agency that is also compromised. CISA issued the directive on December 13. Here’s what was reported in the early hours of December 14:

US officials suspect that Russian-linked hackers were behind the recent data breach of multiple federal agencies, including the Departments of Homeland Security, Agriculture and Commerce, but are continuing to investigate the incident, multiple sources told CNN Monday.

CNN learned Monday that DHS’ cyber arm, which is tasked with helping safeguard the nation from attacks by malicious foreign actors, is among at least three US government agencies compromised in the hack.

In addition to CISA, government officials also suspect breaches at the US Postal Service and the Department of Agriculture. And the Defense Department is in the process of assessing its own exposure, if any. If any of its components have been breached, it has yet to be publicly reported.

The Russian government is denying involvement, but the evidence seems to point to “Cozy Bear,” the offensive hacking wing of Russia’s intelligence services. Unfortunately, SolarWinds’ dominance in the network management field made it that much easier for the attack to scale. And with CISA compromised, the government’s attempts to mitigate damage will be slowed as its own cybersecurity wing attempts to rid itself of a persistent threat.

Filed Under: cisa, commerce department, hacking, russia, treasury, vulnerability
Companies: fireeye, solarwinds

Treasury Department Wing Latest To Be Accused Of Domestic Spying

from the just-dipping-into-the-domestic-stream-until-someone-says-stop dept

Some more domestic spying taking place, this time by financial regulators. While the US Treasury Department is well within its legal wheelhouse to investigate domestic financial wrongdoing, its Office of Intelligence and Analysis is only supposed to monitor financial activity occurring outside of the US. The OIA has apparently been helping itself to domestic financial records, as Jason Leopold reports.

Over the past year, at least a dozen employees in another branch of the Treasury Department, the Financial Crimes Enforcement Network, have warned officials and Congress that US citizens’ and residents’ banking and financial data has been illegally searched and stored. And the breach, some sources said, extended to other intelligence agencies, such as the National Security Agency, whose officers used the Treasury’s intelligence division as an illegal back door to gain access to American citizens’ financial records.

The US Treasury Department has responded to the allegations raised by several anonymous sources, claiming Leopold’s article is basically bullshit.

“The BuzzFeed story is flat out wrong. An unsourced suggestion that an office within Treasury is engaged in illegal spying on Americans is unfounded and completely off-base.”

The department claims any sharing of data between the domestic-focused Financial Crimes Enforcement Network (FinCEN) and the OIA is completely legal. The NSA made a similar claim about its perusing of domestic financial data. But those claims seem a little hollow now that the Treasury Department’s Inspector General has announced an investigation into this information sharing.

In some cases, the information shared had been properly redacted. But officials claim OIA personnel simply found ways to obtain the blacked-out data.

Some sources have also charged that OIA analysts have, in a further legal breach, been calling up financial institutions to make inquiries about individual bank accounts and transactions involving US citizens. Sources said the banks have complied with the requests because they are under the impression they are giving the information to FinCEN, which they are required to do.

That’s how the backdoor works. When identifying information is redacted, the OIA just calls up the financial institution and asks for more information about unnamed accounts until it has enough to nullify built-in minimization procedures.

And there’s more. It appears OIA is passing along domestic banking data to other foreign-facing agencies like the CIA and Defense Intelligence Agency. According to Leopold’s sources, this has gone on for years. It’s only coming to light now because FinCEN officials have begun complaining about the apparent privacy violations.

This has drawn the attention of Sen. Ron Wyden, who is now demanding answers from the Treasury Department.

“If true, those allegations would represent a serious abuse of spying powers to gather Americans’ financial information,” Senator Ron Wyden’s spokesman, Keith Chu, said in a statement: “Sen. Wyden plans to get to the bottom of what happened and take a close look at whether the rules currently protecting the privacy of Americans are strong enough and adequately enforced.”

This is something Wyden does well: dogged pursuits of information pertaining to intelligence community misconduct. Unfortunately, the intelligence community maintains a pretty solid stiff arm, which tends to put years between Wyden’s questions and their eventual answers. Throw in some national security concerns, and the agencies involved are likely to be permitted to go dark for as long as possible.

The years of infighting between FinCEN and the OIA appear to be causing collateral damage. Another Leopold report from a couple of weeks ago covers a bizarre incident at the Treasury Department as FinCEN analysts attempted to dig through financial data for anything of interest that might have helped investigators track down participants in the recent London terrorist attack.

When the officials got to their secure operations center in Northern Virginia that Saturday night, they discovered that everyone on duty had been blocked from the classified networks their response depended upon. They couldn’t open links emailed by the FBI about the suspected terrorists they were supposed to be chasing. They couldn’t begin following the threads connecting those suspects to the people who had been funding and supporting them.

The lack of access for personnel within the Financial Crimes Enforcement Network — never before reported — cost antiterrorism forces on both sides of the Atlantic crucial time in identifying and pursuing the people and networks around the attackers, according to sources and documents reviewed by BuzzFeed News.

One possible explanation for the lockout may be the ongoing feud between FinCEN and the OIA. The OIA grants access to FinCEN, which allows it to piece together paper trails from both domestic and foreign banking data. If the OIA wanted to keep FinCEN out, it easily could. The other explanation is human error: unrenewed network security keys.

Whatever is happening isn’t pretty. Human errors like these can result in lost human lives. If there’s a turf war happening, the latest claims about OIA malfeasance are only going to result in less cooperation during critical times which, again, will possibly result in the loss of lives.

Filed Under: backdoor surveillance, financial records, fincen, oia, surveillance, treasury

from the it-never-ends dept

Update: Just as we published this, news came in that this amendment was rebuffed, but the point remains: Congress keeps trying to sneak in little favors to Hollywood every chance it gets.

Congress continues to show that it learned absolutely nothing from the SOPA/PIPA mess earlier this year. While we’ve been focused on the problematic IPAA bill in the House, which would create a high level IP Enforcement “deputy assistant” within the Commerce Department, over in the Senate, Debbie Stabenow is looking to create another such role in the Treasury Department. We just mentioned an effort by the Senate Finance Committee to actually make the Special 301 report useful by having it go after internet censorship… but according to Politico’s Morning Tech, Senator Stabenow has very quietly introduced an amendment to that effort, which would increase the role of the Treasury Department as Hollywood’s private police force:

A tweak by Sen. Debbie Stabenow made available last night would add to the trade bill her own measure, the Protect American Innovation Act. Among other things, the amendment would establish the position of “director of Intellectual Property Rights Enforcement” at Treasury, while boosting the ability of Customs and ICE to find and seize infringing materials entering the country or to be exported.

Stabenow actually introduced this “Protect American Innovation Act” last year, in the midst of the fight over SOPA and PIPA, and very few people noticed, since all of the attention was on those two bills. But if you look at the details, it’s just more of the same. It would increase the Treasury Department’s role in intellectual property enforcement, first by establishing a “director of intellectual property rights enforcement” withing the Treasury. That position would be tasked with working closely with ICE — and ICE would get its own new “coordinator of intellectual property enforcement.” You remember ICE. Those are the folks famous for censoring websites based on no evidence, just the RIAA’s say-so. Oh, and remember Dajaz1? That’s one of those sites that ICE erroneously censored. One of that site’s admins lives in Michigan — Stabenow’s home state. But, apparently, Stabenow would rather carry water for Hollywood than protect her own constituents from gross overreach by the US government.

Given how badly ICE screwed up that job, it’s amazing that Stabenow wants to increase their authority. But that’s what’s happening. The bill defines “piracy” as “activities related to production of or trafficking in unauthorized copies or phonorecords of works protected under title 17, United States Code, or related laws.” And we thought “piracy” was defined as “an act of criminal violence at sea.” But, notice just how broad that text is there. Any production of “unauthorized copies” of works protected under the copyright act. Yeah, if you make a copy… the Treasury Department and ICE might be able to target you.

The bill also says that Treasury/ICE/Customs should get training in new technology for “detecting and identifying, at ports of entry… pirated goods.” Given how broad this is, you could read this to mean that your phones, MP3 players and laptops may get scanned at the border for all of the music and movies you have. There was talk of such things in ACTA, but they were rejected when people spoke up — and now they’re back in a bill from Senator Debbie Stabenow who apparently slept through what happened in response to SOPA/PIPA and ACTA.

The bill also gives law enforcement within Treasury/ICE/Customs pretty broad powers, including issuing fines for importing “pirated” goods, and says that such fines “may not be mitigated” unless ordered by a court or “pursuant to regulations issued by the Commissioner.” And such fines “may not be dismissed or vacated.” In other words, if they catch you with pirated works, they may be required to issue fines. In fact, it says that the mitigation, dismissal or vacation of such fines can only happen for “extraordinary cases.” Having a few unauthorized songs on your iPhone isn’t extraordinary.

But wait… there’s more. While the IPAA, as discussed, would increase US diplomatic efforts to push for IP enforcement abroad… and so would this bill, though in a different area. Rather than IP attaches, now ICE and Customs would be tasked with spreading Hollywood-style maximalism to other countries by increasing staffing to provide training and assistance to other countries in “detecting” such “pirated goods.”

There are also a ton of small changes to copyright law, which would take quite a few hours to dig in and see what they actually do. As is typical of these kinds of bills, they don’t tell you what the bill would actually now say — they just say things like “strike from [phrase y] to [phrase x] and insert [random string of terms].” And, sometimes (including here), even these phrases then point you to other laws that you have to piece together as well. You have to sit down, pull up the original, figure out what’s being taken out, what’s being inserted and what it all means. There appear to be about a dozen such changes which we’ll have to go through later, but it wouldn’t surprise me to find more trouble in there.

For example, just a quick look at Section 143 of this bill might appear like a minor textual change. It says you have to add the following to a different bill (19 U.S.C. 1595a(c)(2)). What’s that? Oh, it’s the rules for the government forfeiting your property. And what’s the text?

‘(G) it is a technology, product, service, device, component, or part thereof the importation of which is prohibited under section 1201(a)(2) of title 17, United States Code.’.

Okay piece that back into the bill above, and you see that what it’s actually doing is increasing the types of things that can be forfeited by ICE and Customs. But how so? Well, you have to jump over to section 1201(a) of Title 17, which is the anti-circumvention provision of the DMCA.

When you sit back and parse it all together, you realize that they’re now allowing ICE/Customs to forfeit any circumvention device. Considering how many “circumvention devices” you already own without realizing it, you should be concerned.

Either way, I’m sure there’s more in there, but this is just a quick read, because, again, this effort was announced yesterday for markup today. And, yes, while Stabenow released this bill last year, it got little attention because no one thought it was going anywhere. To suddenly jump the line and try to attach it to a separate, important bill, shows the same sort of attempt to sneak through laws for Hollywood without public scrutiny.

Filed Under: congress, customs, debbie stabenow, ice, ip enforcement, piracy, senate, treasury

Treasury Department Meddling In Venture Capital For No Good Reason

from the not-all-private-equity-is-the-same dept

The Wall Street Journal has an important editorial pointing out why it’s a mistake for Treasury Secretary Timothy Geither to include venture capital funds in his new regulatory plan to deal with “systemic risk.” There’s no doubt that highly leveraged hedge funds contributed greatly to the current economic situation creating a level of systemic risk that we’re only just coming to terms with. However, it’s not at all clear what venture capital has to do with that. Yes, both are unregulated funds of private equity, but that’s about where the similarities end. Venture capital relies very little on debt, and is usually a way for wealthy investors to bet money more long term on new innovations, rather than the sort of short-term speculation that is more common with hedge funds.

Yet, for some reason, they’re being lumped together and will have the same regulatory burdens. This could significantly hinder venture capitalists, similar to some other recent regulatory changes, creating unnecessary and wasteful burdens that are more for show than any actual effort to protect the economy. As the editorial points out: we’ve already stress tested the venture capital world, when the dot com bubble burst, it didn’t cause any systemic risk. No banks failed because of the bubble bursting. So why is the government suddenly acting like VCs are a threat to the widespread economy now?

Filed Under: economy, systemic risk, timothy geithner, treasury, venture capital