Cybersecurity firm FireEye has recently released a report detailing the techniques used by the SolarWinds hackers inside the networks of companies they breached.

With the report, FireEye researchers have also released a free tool on GitHub named Azure AD Investigator that they say can help companies determine if the SolarWinds hackers (also known as UNC2452) used any of these techniques inside their networks.

Today's FireEye report comes as the security firm has spearheaded investigations into the SolarWinds supply chain compromise, together with Microsoft and CrowdStrike.

The SolarWinds hack came to light on December 13, 2020, when FireEye and Microsoft confirmed that a threat actor broke into the network of IT software provider SolarWinds and poisoned updates for the Orion app with malware.

The malware, known as Sunburst (or Solorigate), was used to gather info on infected companies. Most of the 18,000 SolarWinds customers who installed a trojanized version of the Orion app were ignored. Still, for some selected targets, the hackers deployed a second strain of malware known as Teardrop. They then used several techniques to escalate access inside the local network and the company's cloud resources, focusing on breaching Microsoft 365 infrastructure.

In its 35-page report, FireEye has detailed these post initial compromise techniques, along with detection, remediation, and hardening strategies that companies can apply.

Summarized, they are as follows:

1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user's password or their corresponding multi-factor authentication (MFA) mechanism.
2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
3. Compromise the credentials of on-premises user accounts synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
4. Highjack an existing Microsoft 365 application by adding a rogue credential to it to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc., while bypassing MFA.

"While UNC2452 has demonstrated a level of sophistication and evasiveness, the observed techniques are both detectable and defensible," FireEye said.

FireEye's ability to detect these techniques inside its network led to the company investigating an internal breach and then discovering the broader SolarWinds incident.
​
Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow) and CrowdStrike (called CRT).

Deloitte just announced the availability of audit technology for smaller accounting firms through a new venture it recently formed.

Deloitte created Auvenir as an in-house startup and tasked it with developing its own auditing technology that could be offered to small firms. Next week, Deloitte plans to announce the North American launch of the technology, known as the Auvenir Audit Smarter platform, which leverages artificial intelligence to help auditors with their work.

Auvenir doesn’t use Deloitte’s own proprietary auditing technology, but it was developed with input from Deloitte’s audit team. The Auvenir team also interviewed a number of small to midsized audit firms and their clients across North America to identify the issues they encounter with audits. It has been beta testing the Audit Smarter technology with several auditing firms in Canada.

Deloitte global audit and assurance innovation leader Chris Thatcher said he was tasked by his boss with coming up with the kind of technology that a startup might develop in competition with Deloitte. “One of the things he was quite concerned about, that kept him up at nights, was a couple of guys in a garage thinking about how you could do audit completely differently to how we would have done it traditionally in the past,” he said. “My boss basically challenged me to think about defending ourselves from disruption.”

 “From our perspective at Auvenir, we spoke to hundreds of auditors and clients, primarily in that part of the market, the smaller auditing firms and smaller clients, and what we found is that a lot of the technology that’s available to them is not the right size technology for the size of engagements they’re dealing with,” Auvenir CEO Pete Myers said. “We want to open this up for any accounting firm. We’re not restricting who uses it. It’s available to any firm out there.”

The platform uses cloud-based storage, machine learning and artificial intelligence to improve workflow and collaboration between auditors and their clients.

The machine learning component helps auditors judge whether there is a low or high risk from the trends they are seeing. “It would be like saying nine out of 10 auditors when they were looking at this industry thought this was a high risk, but giving those insights in a real way,” said Myers. “It’s really providing those insights and tips, as someone who is working through the engagement or going through their decision-making to just have somewhat more confidence in the decisions they’re making. One thing that’s very clear, as a platform we’re not taking on the audit itself. We’re just a tool to be used by auditors, and we’re not making any of the decisions that need to be made in coming to an opinion.”

Deloitte admitted last month to a data breach in which hackers were able to access client data from its internal email system (see Deloitte email platform and client data hit by cyberattack). However, Auvenir is using separate servers and is emphasizing security.

“We host the data, and it’s completely separate from where Deloitte hosts their data,” said Myers. “Data security is one of our most important governing principles. In conversations with auditors and clients, it’s top of mind that the data is secure. Basically all of our customer and application data is encrypted whenever it’s being transmitted between our servers or with a customer device. It’s also encrypted anytime it’s stored on our servers. The data is never stored or transferred to a customer without strong encryption and then our encryption algorithms are all compliant or exceed ISO and NISD standards. And in addition to that, we’re making sure we’re going through an independent SOC 2 certification to make sure we’re complying with the SOC 2 and ISO 27001 security standards.”
​
Deloitte sees the technology as an innovation for the audit profession. “We believe this is quite radical innovation,” said Thatcher. “This is radically different innovation from what we’ve seen traditionally from ourselves and from others in the market. This is the very first venture we have done as a global audit business and certainly we hope it is not our last.”

An advanced hacking and cyberespionage campaign against high-value targets has returned.

The so-called 'DarkHotel' group has been active for over a decade, with a signature brand of cybercrime that targets business travelers with malware attacks, using the Wi-Fi in luxury hotels across the globe.

Hotel Wi-Fi hotspots are compromised in order to help deliver the payload to the selected pool of victims. The exact methods of compromise remain uncertain, but cybersecurity experts believe it involves attackers remotely exploiting vulnerabilities in server software or infiltrating the hotel and gaining physical access to the machines.

Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.

But now the actors behind DarkHotel have changed tactics again, using a new form of malware known as Inexsmar to attack political targets. Researchers at Bitdefender – who've analyzed the malware strain – have linked the Inexsmar campaign to DarkHotel because of similarities with payloads delivered by previous campaigns.

In common with other espionage campaigns, the Inexsmar attack begins with high-level phishing emails individually designed to be interesting and convincing to the target. "The social engineering part of the attack involves a very carefully crafted phishing email targeted to one person at a time," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.

Researchers remain uncertain about who is being targeted by the campaign – and the malware sample doesn't provide clues about this – but the nature of the phishing emails point towards government and political targets.

Within the email is a self-extracting archive package, winword.exe, which when executed begins the Trojan downloader process.

In order to avoid the victim getting suspicious, the downloader opens a decoy Word document called 'Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx'.

It shows a list of supposed contacts in the North Korean capital, with references to organizations including FAO, UNDP, UN, UNICEF, and WFP. It even contains warnings about spammers and ensuring privacy – with the victim reading this just as their privacy is being compromised by hackers.

In order to prevent detection, the malware is downloaded in stages – another element of the campaign which links it to DarkHotel. The first stage of the downloader even hides malicious codes and strings inside an otherwise legitimate OpenSSL binary by statically linking the malicious code to the otherwise unrelated library code.

Following this, the malware runs a mshta.exe operation – a legitimate Microsoft HTML Application host needed to execute .HTA files – to download the second part of the payload and compromise the target with the Trojan malware.

Researchers suggest the multi-stage Trojan download is an evolutionary step to keep the malware competitive as victims' defenses improve.

"This approach serves their purpose much better as it both assures the malware stays up to date via system persistence – not achievable directly using an exploit, and giving the attacker more flexibility in malware distribution," says the paper by malware researchers Cristina Vatamanu, Alexandru Rusu, and Alexandru Maximciuc.

DarkHotel is a highly sophisticated hacking operation, stockpiling digital certificates to aid in the distribution of malware and deploy backdoors with code hidden under many layers of protection.

The group is careful to cover their tracks but the nature of the attacks and the way DarkHotel picks victims potentially indicates involvement of a nation state actor.
​
"Attribution is usually difficult with this type of attack, but its complexity and the cherry-picked victims show that it is likely a state-backed threat with serious skills and resources," said Botezatu.

In our super-connected world, the data we are generating makes big data an inviting career field for young people.

"Big" hardly seems large enough to describe big data these days. With connected devices like Fitbits and smartphones, massive amounts of data are created every day at an exponential rate. But the sheer size of big data isn't what is most impressive; it's the gold mine of business insights it offers when analyzed.
For young professionals with big data analytics degrees, the field offers almost limitless potential and a wide range of careers from which to choose. Here's a look at a few of these emerging careers.

Big Data Architects. It's one thing to brainstorm innovative products, like Siri or a smart refrigerator, but it's another to bring those ideas to life. Similar to a construction architect, a data architect designs the framework of the latest technology and data systems, determining the structural requirements needed to securely store an abundance of information. With the demand for both immediacy and privacy, a data architect must develop a system that considers future roadblocks, such as storage and data sharing.

As the competition for innovation increases, data architects will be responsible for both the short-term and long-term technology vision for their companies. Aside from a comprehensive education, employers look for candidates with a vast knowledge of database languages like SQL, NoSQL, Python and SPSS.

Data Scientists. One part statistician and one part software engineer, a data scientist is the brains behind data interpretation. Data scientists take massive amounts of data and whittle them down into concise statistics to use in predictive and prescriptive modeling. From there, the data scientist can generate valuable insights that improve business performance. As an example of data science, the Uber surge charge on New Year's Eve was determined by a data scientist after measuring analytical trends within the current landscape.
Equipped with sharp problem-solving skills and a healthy dose of creativity, data scientists are a tremendous asset to all industries.

Big Data Managers. Managing data architects, scientists and a full team of technicians – not to mention managing the actual data – requires a data manager to oversee all processes and communicate day-to-day operations to company leadership. A data manager knows the intricacies of the tech world as well as the overall corporate strategy. They're the jacks of all trades, if not the master of all.

A data manager is responsible for organizing the data being produced, ensuring quality, implementing strategy, and then reporting back to leadership. They leverage insights provided by data scientists to recommend new products, predict future roadblocks and streamline business logistics. In addition to experience in Hadoop and Hive, this high-level role requires cross-functional skills such as programming and management. As companies continue to adapt to newer systems, the demand for someone to coordinate data processes will continue to increase as well.
​
The technology revolution is not slowing down. Our world is becoming more connected by the minute, creating tremendous growth and opportunity in the field of big data analytics. If you know someone who is looking for a career that will let them transform the future of technology – and earn big bucks while doing it –- a job in big data could be the ticket to success.

Last week, CPA.com and Confirmation.com announced the launch of RIVIO Clearinghouse, which delivers CPA source-validated financial documents such as audited financial statements to bankers, shareholders and other investors. These documents are available through a secure, cloud-based platform that offers stronger fraud prevention and more sophisticated controls than existing delivery methods.

Private companies are the backbone of the U.S. economy, making up the overwhelming majority of the nation’s 28 million businesses. Unlike with public companies, whose key data is accessible through the Securities and Exchange Commission’s EDGAR system, there is no central repository for private company financial information. As a result, many private businesses still rely on outdated methods to distribute financial statements, tax forms and other key documents, such as mailing or hand delivering paper copies or emailing unsecure files. Banks, private equity firms and other users of this information have little way of knowing if the data they receive has been altered.

The RIVIO Clearinghouse transforms how private company financial information is exchanged by:

          •   Validating that a financial document has been uploaded by a licensed CPA firm
          •   Eliminating the possibility that company management can change data once it is uploaded
              by the CPA firm
          •   Allowing companies complete control over who can view the information, so financial data
              remains private and protected
          •   Providing anytime, anywhere access to the information, which can speed lending decisions
              and other business transactions
          •   Protecting private company information with encryption and an IT architecture tested by
              rigorous security audits

 “In today’s digital world, bankers and investors are expecting authenticated sources of data,” said Erik Asgeirsson, president and CEO of CPA.com. “The RIVIO Clearinghouse uniquely provides a system where only licensed CPA firms can upload audited and reviewed financial statements used by lenders, private equity firms and others.”

The clearinghouse does not replace or compete with firm or bank portals, since it was designed specifically for transferring information between three distinct user groups with features relevant to each. In time, the RIVIO Clearinghouse can be integrated into these portals.

“One of the key benefits of the new clearinghouse is fraud prevention,” said Brian Fox, CPA, president and founder of Confirmation.com. “It’s easy to alter a paper financial document or create a bogus PDF, but the RIVIO Clearinghouse prevents changes once a CPA firm uploads a financial statement. That provides peace of mind for lenders and other interested parties.”

KPMG and IBM announced plans to apply IBM’s Watson cognitive computing technology to KPMG’s professional service offerings, with a focus on audit services.

The agreement comes on the heels of several successful projects using cognitive technologies to enhance and deliver professional services.

Providing greater collaboration between humans and artificial intelligence (AI) systems, cognitive technology enables communication in natural language, analyzing massive amounts of data to quickly deliver insights. Watson, accessible through a variety of applications, integrates machine learning and other AI technologies in a scalable system.

“The cognitive era has arrived,” said KPMG chairman and CEO Lynne Doughtie. “KPMG’s use of IBM Watson technology will help advance our team’s ability to analyze and act on the core financial and operational data so central to the health of organizations and the capital markets. In addition to the unprecedented possibilities for enhancing quality, the potential for cognitive and related technologies to help us pursue new business offerings is extraordinary.”

As many of KPMG’s audit, tax, advisory and other professional services rely on judgment-driven processes, the data analysis and innovative learning capabilities of cognitive technology can transform how the firm deploys talent, capital and other resources.

“Auditing and similar knowledge services are increasingly challenged with tackling immense volumes of unstructured data,” stated John Kelly, senior vice president of cognitive solutions at IBM Research. “Cognitive technologies such as Watson can transform how this data is understood and how critical decisions are made. By applying Watson, KPMG is taking a forward-looking approach to extending its expertise, helping professionals and clients gain new insights from critical enterprise information.”

KPMG will be working with Watson to develop select cognitive services to meet extensive audit-specific security, confidentiality and compliance requirements. For example, one of the Big Four firm’s current initiatives focuses on employing supervised cognitive capabilities to analyze large volumes of structured and unstructured data related to a company’s financial information as auditors “teach” the technology to fine-tune those assessments, giving those teams faster access to precise measurements used to analyze anomalies.

With cognitive technology’s ability to analyze a larger percentage of data, KPMG professionals can obtain enhanced insights into the client’s financial and business operations, in turn giving them the opportunity to focus on higher value activities like risk assessment.
​
“Including cognitive technology with KPMG’s innovative capabilities, robust methodologies and processes, and 100-plus year history of excellence, is a real game changer that underscores our commitment to reinforcing confidence in the capital markets,” stated Doughtie.