Microsoft v. SVR. Why open source should be the norm

It could have been a Tom Clancy novel from the NetForce series, but it's a book written by Microsoft President Brad Smith in tribute to himself and his company. Anyway, if one reads between the lines (at least in the extract to which a portal had access) and separates the self pats on the back and the sticks to the competitors, what remains is very interesting and instructive. And, in my humble opinion, a sample of the advantages of the free and open source software model.

Characters

Every spy novel needs a "bad guy" and, in this case we have nothing less than the SVR, one of the organizations that succeeded the KGB after the collapse of the USSR. The SVR deals with all intelligence tasks carried out outside the border of the Russian Federation. The "innocent victim" was SolarWinds, a company that develops network management software.It's used by large corporations, critical infrastructure managers, and US government agencies. Of course, we need a hero. In this case, according to themselves, it is Microsoft's Threat Intelligence Department.

How could it be otherwise, in a hacker story, the "bad" and the "good" have an alias. The SVR is Yttrium (Yttrium). At Microsoft, the less common elements of the periodic table are used as a code name for possible sources of threats. The Threat Intelligence Department is MSTIC for its acronym in English, although internally they pronounce it mystic (mystic) for the phonetic similarity. Hereinafter, for convenience, I will use these terms.

Microsoft v. SVR. The facts

On November 30, 2020, FireEye, one of the leading computer security companies in the US, discovers that it had suffered a security breach in its own servers. As they were unable to fix it themselves (I'm sorry, but I can't stop saying the "blacksmith's house, wooden knife") they decided to ask Microsoft's specialists for help. Since MSTIC had been following in the footsteps of Yttrium, andThey were immediately suspicious of the Russians, a diagnosis later confirmed by the official US intelligence services.

As days went by, the attacks were found to be targeting sensitive computer networks around the world, including Microsoft itself. According to media reports, the United States government was clearly the main target of the attack, with the Treasury Department, the State Department, the Commerce Department, the Energy Department and parts of the Pentagon. dozens of affected organizations to the list of victims. These include other technology companies, government contractors, think tanks and a university. The attacks were not only directed against the United States as they affected Canada, the United Kingdom, Belgium, Spain, Israel and the United Arab Emirates. In some of the cases, penetrations into the network lasted for several months.

Origin

It all started with network management software called Orion and developed by a company called SolarWinds. With more than 38000 corporate clients high-level, attackers only had to insert malware in an update.

Once installed, the malware connected to what is technically known as a command and control (C2) server. The C2 e serverIt was programmed to give the connected computer tasks such as the ability to transfer files, execute commands, reboot a machine, and disable system services. In other words, the Yttrium agents got full access to the network of those who had installed the Orion program update.

Next I am going to quote a verbatim paragraph from Smith's article

It didn't take long for us to realize

the importance of technical teamwork across industry and with government

from the United States. Engineers from SolarWinds, FireEye, and Microsoft started working together immediately. The FireEye and Microsoft teams knew each other well, but SolarWinds was a smaller company facing a major crisis, and the teams had to build trust quickly if they were to be effective.

SolarWinds engineers shared the source code of their update with the security teams of the other two companies,

which revealed the source code of the malware itself. US government technical teams quickly sprang into action, especially at the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.

The highlights are mine. That of teamwork and sharing the source code. Doesn't that sound like something to you?

After opening the back door, the malware was inactive for two weeks, to avoid creating network log entries that will alert administrators. PDuring this period, it sent information about the network that had infected a command and control server. that the attackers had with the GoDaddy hosting provider.

If the content was interesting to Yttrium, the attackers entered through the back door and installed additional code on the attacked server to connect to a second command and control server. This second server, unique to each victim to help evade detection, was registered and hosted in a second data center, often in the Amazon Web Services (AWS) cloud.

Microsoft v. SVR. The morale

If you are interested in knowing how our heroes gave the villains their due, in the first paragraphs you have the links to the sources. I'm going to jump right into why I write about this on a Linux blog. Microsoft's confrontation against the SVR demonstrates the importance of the code being available to be analyzed, and that the knowledge is collective.

It is true, as a prestigious specialist in the field of computer security reminded me this morning, that it is useless for the code to be open if nobody takes the trouble to analyze it. There's the Heartbleed case to prove it. But, let's recap. 38000 high-end clients signed up for proprietary software. Several of them installed a malware update that exposed sensitive information and gave control to hostile elements of critical infrastructure. The responsible company he only made the code available to specialists when he was with the water around his neck. If software vendors for critical infrastructure and sensitive customers were required Releasing your software with open licenses, since having a resident code auditor (or an external agency working for several) the risk of attacks like SolarWinds would be much lower.