1 Oct 2016
Today the contract between ICANN and the US Department of Commerce National Telecommunications and Information Administration (NTIA), to perform the Internet Assigned Numbers Authority (IANA) functions, has officially expired
icann.org/news/announcem…
Today the contract between ICANN and the US Department of Commerce National Telecommunications and Information Administration (NTIA), to perform the Internet Assigned Numbers Authority (IANA) functions, has officially expired
icann.org/news/announcem…
This historic moment marks the transition of the coordination and management of the Internet’s unique identifiers to the private-sector, a process that has been committed to and underway since 1998.
For more than 15 years, ICANN has worked in concert with other technical bodies such as IETF, Regional Internet Registries [RIR], top-level domain registries and registrars, and many others.
The final chapter of the privatization process began in 2014, when NTIA asked ICANN to organize:
private-sector reps
tech experts
academics
civil society
govts
individual Internet end users
& propose how to replace NTIA’s stewardship and enhance ICANN’s accountability mechanisms
private-sector reps
tech experts
academics
civil society
govts
individual Internet end users
& propose how to replace NTIA’s stewardship and enhance ICANN’s accountability mechanisms
Jeff Neuman worked for Neustar for 15 years, where he was President of Law and Policy & represented the Registry Stakeholder Group [RySG] as a GNSO councilor at ICANN
16 April 2021
3 Aug 2020
IT personnel at NTIA may have uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products.
krebsonsecurity.com/2021/04/did-so…
3 Aug 2020
IT personnel at NTIA may have uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products.
krebsonsecurity.com/2021/04/did-so…
March 2021
Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack.
Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack.
An analysis of the malicious file and other submissions by the same VirusTotal user suggest the account that initially flagged the backdoor as suspicious belongs to IT personnel at NTIA, a division of the US Commerce Department that handles telecommunications and Internet policy
Both Microsoft and FireEye published blog posts on 4 Mar 2021 concerning a new backdoor found on high-value targets that were compromised by the SolarWinds attackers. FireEye refers to the backdoor as “Sunshuttle,” whereas Microsoft calls it “GoldMax.”
FireEye says the Sunshuttle backdoor was named “Lexicon.exe,” and had the unique file signatures or “hashes” of “9466c865f7498a35e4e1a8f48ef1dffd” (MD5) and b9a2c986b6ad1eb4cfb0303baede906936fe96396f3cf490b0984a4798d741d8 (SHA-1).
“In Aug 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository,” FireEye wrote.
A search in VirusTotal’s malware repository shows that on Aug. 13, 2020 someone uploaded a file with that same name and file hashes
A search in VirusTotal’s malware repository shows that on Aug. 13, 2020 someone uploaded a file with that same name and file hashes
It’s often not hard to look through VirusTotal and find files submitted by specific users over time, and several of those submitted by the same user over nearly two years include messages and files sent to email addresses for people currently working in NTIA’s IT dept
The NTIA did not respond to requests for comment. But in December 2020, WSJ reported the NTIA was among multiple federal agencies that had email and files plundered by the SolarWinds attackers.
“The hackers broke into about three dozen email accounts since June at the NTIA, including accounts belonging to the agency’s senior leadership, according to a U.S. official familiar with the matter,” WSJ wrote.
It’s unclear what, if anything, NTIA’s IT staff did in response to scanning the backdoor file back in Aug. 2020. But the world would not find out about the SolarWinds debacle until early Dec 2020, when FireEye first disclosed the extent of its own compromise from the SolarWinds
The SolarWinds attack involved malicious code being surreptitiously inserted into updates shipped by SolarWinds for some 18,000 users of its Orion network management software.
Beginning in March 2020, the attackers then used the access afforded by the compromised SolarWinds software to push additional backdoors and tools to targets when they wanted deeper access to email and network communications.
US intel agencies have attributed the SolarWinds hack to an arm of the Russian state intelligence known as the SVR, which also was determined to have been involved in the hacking of the DNC six years ago.
WH issued sanctions against Russia in response to the SolarWinds attack and other malicious cyber activity, leveling economic sanctions against 32 entities and individuals for disinfo efforts and for carrying out the Russian govt’s interference in the 2020 presidential election.
US Treasury Dept (which also was hit with second-stage malware that let the SolarWinds attackers read Treasury email communications) has posted a full list of those targeted, inc. 6 Russian companies for providing support to the cyber activities of the Russian intel service
FBI, NSA & CISA issued a joint advisory on several vulnerabilities in widely-used software products that the same Russian intel units have been attacking to further their exploits in the SolarWinds hack.
Among those is CVE-2020-4006, a security hole in VMWare Workspace One Access that VMware patched in Dec 2020 after hearing about it from the NSA.
“Recent Russian SVR activities include:
compromising SolarWinds Orion software updates
targeting COVID-19 research facilities through deploying WellMess malware
leveraging a VMware vulnerability that was a 0day for follow-on SAML authentication abuse,” the NSA’s advisory reads
compromising SolarWinds Orion software updates
targeting COVID-19 research facilities through deploying WellMess malware
leveraging a VMware vulnerability that was a 0day for follow-on SAML authentication abuse,” the NSA’s advisory reads
“SVR cyber actors also used authentication abuse tactics following SolarWinds-based breaches.”
Officials within the Biden administration have told media outlets that a portion of the United States’ response to the SolarWinds hack would not be discussed publicly.
Officials within the Biden administration have told media outlets that a portion of the United States’ response to the SolarWinds hack would not be discussed publicly.
But some security experts are concerned that Russian intelligence officials may still have access to networks that ran the backdoored SolarWinds software, and that the Russians could use that access to affect a destructive or disruptive network response of their own, NYT reports
“Inside American intelligence agencies, there have been warnings that the SolarWinds attack — which enabled the SVR to place ‘back doors’ in the computer networks — could give Russia a pathway for malicious activity against government agencies and corporations,” NYT observed
• • •
Missing some Tweet in this thread? You can try to
force a refresh
