https://thehill.com/policy/cybersecurity/542561-officials-see-widespread...

The nation’s top cybersecurity official told lawmakers Wednesday that the federal government is seeing “widespread” hacking using recently uncovered vulnerabilities in a Microsoft email application, with researchers saying almost a dozen hacking groups have used the flaw to target a variety of organizations.

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), testified to a House committee that the previously unknown vulnerabilities on Microsoft Exchange Server have been exploited globally and could have long-lasting consequences.

“CISA is already aware of widespread exploitation of the vulnerabilities, and trusted partners have observed malicious actors using these vulnerabilities to gain access to targeted organizations in the United States and globally,” Wales testified to the House Appropriations Committee’s homeland security subcommittee.

“Importantly, once an adversary gains access to a Microsoft Exchange Server, they can access and control an enterprise network even after the vulnerabilities are patched, and malicious exploitation could be executed by actors with various motivations, from stealing information to executing ransomware attacks to physically damaging infrastructure,” he warned.

Wales’s testimony came a week after CISA issued an emergency directive ordering all federal agencies to investigate for signs of compromise, and if found to immediately patch their systems to prevent exploitation.

Matt Stoller wrote about SolarWinds and how private equity is the cause for our shitty and vulnerable infrastructure.

How to Get Rich Sabotaging Nuclear Weapons Facilities

The most interesting part of the cybersecurity problem is that it isn’t purely about government capacity at all; private sector corporations maintain critical infrastructure that is in the “battle space.” Private firms like Microsoft are being heavily scrutinized; I had one guest-post from last January on why the firm doesn’t manage its security problems particularly well, and another on how it is using its market power to monopolize the cybersecurity market with subpar products. And yet these companies have no actual public obligations, or at least, nothing formal. They are for-profit entities with little liability for the choices they make that might impose costs onto others.

SolarWinds sells a network management package called Orion, and it was through Orion that the Russians invaded these systems, putting malware into updates that the company sent to clients. Now, Russian hackers are extremely sophisticated sleuths, but it didn’t take a genius to hack this company. It’s not just that criminals traded information about how to hack SolarWinds systems; one security researcher alerted the company last year that “anyone could access SolarWinds’ update server by using the password “solarwinds123.’”

Using passwords ripped form the movie Spaceballs is one thing, but it appears that lax security practice at the company was common, systemic, and longstanding. The company puts its engineering in the hands of cheaper Eastern Europe coders, where it’s easier for Russian engineers to penetrate their product development. SolarWinds didn’t bother to hire a senior official to focus on security until 2017, and then only after it was forced to do so by European regulations. Even then, SolarWinds CEO, Kevin Thompson, ignored the risk. As the New York Times noted, one security “adviser at SolarWinds, said he warned management that year that unless it took a more proactive approach to its internal security, a cybersecurity episode would be “catastrophic.” The executive in charge of security quit in frustration. Even after the hack, the company continued screwing up; SolarWinds didn’t even stop offering compromised software for several days after it was discovered.

In other words, the same sloppy and corrupt practices that allowed this massive cybersecurity hack made Bravo a billionaire. In a sense, this hack, and many more like it, will continue to happen, as long as men like Bravo get rich creating security vulnerabilities for bad actors to exploit.

In July, I interviewed Eileen Appelbaum, the author of Private Equity at Work: When Wall Street Manages Main Street. Eileen is quiet economist who has been leading the political fight against private equity barons, for years. She told me that the key problem with private equity isn’t the idea of financiers doing investment, as investment is necessary for any commercial sector to flourish. The problem is how these financiers - usually large ones who do cookie cutter deals - offload risk onto employees, lenders, investors, and the public itself.