5 Key Takeaways From the SolarWinds Breach
New details continue to emerge each day, and there may be many more lessons to learn from what could be among the largest cyberattacks ever.
December 18, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbd2ef718c54ab30b/64f0d35a672f87406914b89f/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Anxiety over the recent SolarWinds and US government cyberattack went up a notch Thursday when the DHS' Cybersecurity and Infrastructure Security Agency (CISA) warned the advanced persistent group behind the incident might be using multiple tactics to gain initial access into target networks.
It was first widely thought that the likely Russia-backed threat actor was distributing malware to thousands of organizations worldwide by hiding it in legitimate updates to SolarWinds' Orion network management software. On Thursday, CISA said its analysis showed attackers may have also used another initial vector: a multifactor authentication bypass, done by accessing the secret key from the Outlook Web App (OWA) server.
CISA pointed to an alert that Volexity issued earlier in the week, in which the security vendor noted this MFA bypass tactic was used in another attack involving the same intruder responsible for the SolarWinds campaign.
News of at least one additional attack vector, and likely more, came as organizations and the industry as a whole struggled to come to terms with what is arguably among the most significant cyber incidents in recent years. The attackers who breached SolarWinds used the company's software updates — and now, according to CISA, other methods — to install a backdoor called SUNBURST on systems belonging to governments, defense and military entities, and numerous private sector companies.
Victims of the campaign are thought to include the US Treasury Department, Department of Homeland Security, Justice Department, State Department, entities from all five branches of the US military, and several Fortune 500 companies. There were reports Thursday that the National Nuclear Security Administration and the Energy Department had also been breached in the campaign.
The breathtaking scope of this incident and remarkable stealth with which it was executed have sparked considerable worry about the level of access the attackers may still have on target networks.
With details around the attack still emerging, it is far too early to say with certainty what organizations should learn from the whole incident. Read on to learn five immediate issues the attacks have highlighted so far.
The SolarWinds incident shows how remote monitoring and management (RMM) tools present an attractive attack vector, says Eran Farajun, executive vice president at Asgira. Many managed service providers use RMM tools to monitor client networks, endpoints, and devices. SolarWinds has thousands of MSPs as its customers; together, they have hundreds of thousands of clients among them.
RMM tools require an agent to be installed on client servers, hypervisors, workstations, networking devices, laptops, and other mobile endpoints, which give them deep access into enterprise networks. "RMM agents/probes normally have OS and below level access," Farajun says. A variety of agents monitor things such as patch and version levels, and hardware performance issues including CPU, memory, fan speeds, and other functions. "These agents/probes are normally not well protected, if at all," Farajun says.
When MSPs use their RMM platform with tightly integrated backup solutions, it provides a single access point for attackers to target dozens, hundreds, or even thousands of organizations, he notes. "One of the best practices is to ensure your most important tools are 'app-gapped,' which means they are not integrated into a common platform, which, if compromised, enables the attackers to use it as a proxy to traverse any other tightly integrated application within a platform," he says.
SolarWinds has said the attackers likely inserted the SUNBURST malware into its software updates by gaining access to the company's build system, or CI/CD environment. This incident is another example of why organizations need to pay attention to security during the software development life cycle. The move to more agile development methods in recent years has improved speed and cadence of software delivery, but analysts have noted security is often seen as an impediment in this environment.
So-called build systems "are designed to package up source code, perform any steps required to make it usable in production, and, increasingly these days, actually deploy the changes" into production, says Daniel Trauner, director of security at Axonius. These systems are critical for software engineering teams, who rely on them to make it as easy as possible to run automated tests and ship their code.
"[But] because engineers are often concerned about the reliability of CI/CD systems, they may not be audited or maintained as carefully, especially with respect to security," Trauner says. Organizations should take care to protect and audit the usage of any software signing keys within a build system, he adds.
As organizations around the world realized this week, some cyberattacks are nearly impossible to detect, complex to piece together, and difficult to mitigate. Assumptions about how a breach happened can be wrong, as can estimates of its scope and impact.
Early reports of this massive cyber-espionage campaign suggested its initial infection vector was SolarWinds' Orion network management platform. However, on Thursday, CISA disclosed an analysis indicating attackers likely used additional access vectors to gain a foothold on target networks. For organizations that had already installed SolarWinds patches and deployed recommended mitigation measures against the initial attack vector, the news likely raised fresh concerns about their potential exposure to further attacks.
This incident was a reminder of how the obfuscation, anti-forensics, and persistence tactics, which adversaries use to conceal malicious activity and maintain persistence, can cause problems long after a breach has been detected and seemingly mitigated. Tactics reportedly used here, according to CISA and others, included virtual private servers with IP addresses in the victim's home country, rotating "last-mile" IP addresses to different endpoints, steganography, and spoofed tokens and forged credentials for lateral movement and privileged access. "CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations," the agency says.
Attackers inserted malicious code into legitimate updates of SolarWinds' Orion network management product because they knew organizations would implicitly trust and install them. In this case, those receiving the updates wouldn't have known something was wrong, even if they had vetted for security issues, because the malware was hidden in a digitally signed software component.
This attack is the latest example of an adversary targeting trusted third parties that supply key technologies and services to a large number of organizations or consumers. Customers of these vendors almost always fully trust the technologies, making them perfect vehicles for sneaking in malware. The SolarWinds campaign was particularly clever because it involved technology trusted by IT staff and network admins with deep and highly privileged access to enterprise networks.
In 2017, threat actors used a similar tactic when they installed three backdoors in accounting software M.E. Doc, and used them to distribute the destructive NotPetya malware on thousands of systems worldwide. In a March 2019 incident, attackers compromised an automatic software update server at hardware maker ASUS and used it to distribute malware to target organizations.
Attacks hidden in trusted software and infrastructure components can be hard to detect and block, even with the best defense mechanisms and supply chain/vendor vetting programs.
The focus, therefore, needs to be on containing damage as much as possible by segmenting the network and building air gaps between critical applications. This approach can restrict the propagation of attacks internally and enable faster remediation, said Bryan Skene, CTO at Tempered Networks in a blog post.
"When a trusted piece of the infrastructure becomes compromised, as in this case with code injected into the SolarWinds system, there is virtually no security infrastructure that can detect and remediate the attack on the fly," Skene said.
Attacks like the one carried out through SolarWinds Orion show why, in addition to network segmenting, security leaders should also consider new approaches to access control. "Organizations need to start thinking about a security methodology that relies less on blocking specific traffic by policy, and actively moving towards a zero-trust, positive security model that explicitly states which traffic between users and hosts can be allowed, or whitelisted," he wrote.
Attacks hidden in trusted software and infrastructure components can be hard to detect and block, even with the best defense mechanisms and supply chain/vendor vetting programs.
The focus, therefore, needs to be on containing damage as much as possible by segmenting the network and building air gaps between critical applications. This approach can restrict the propagation of attacks internally and enable faster remediation, said Bryan Skene, CTO at Tempered Networks in a blog post.
"When a trusted piece of the infrastructure becomes compromised, as in this case with code injected into the SolarWinds system, there is virtually no security infrastructure that can detect and remediate the attack on the fly," Skene said.
Attacks like the one carried out through SolarWinds Orion show why, in addition to network segmenting, security leaders should also consider new approaches to access control. "Organizations need to start thinking about a security methodology that relies less on blocking specific traffic by policy, and actively moving towards a zero-trust, positive security model that explicitly states which traffic between users and hosts can be allowed, or whitelisted," he wrote.
Anxiety over the recent SolarWinds and US government cyberattack went up a notch Thursday when the DHS' Cybersecurity and Infrastructure Security Agency (CISA) warned the advanced persistent group behind the incident might be using multiple tactics to gain initial access into target networks.
It was first widely thought that the likely Russia-backed threat actor was distributing malware to thousands of organizations worldwide by hiding it in legitimate updates to SolarWinds' Orion network management software. On Thursday, CISA said its analysis showed attackers may have also used another initial vector: a multifactor authentication bypass, done by accessing the secret key from the Outlook Web App (OWA) server.
CISA pointed to an alert that Volexity issued earlier in the week, in which the security vendor noted this MFA bypass tactic was used in another attack involving the same intruder responsible for the SolarWinds campaign.
News of at least one additional attack vector, and likely more, came as organizations and the industry as a whole struggled to come to terms with what is arguably among the most significant cyber incidents in recent years. The attackers who breached SolarWinds used the company's software updates — and now, according to CISA, other methods — to install a backdoor called SUNBURST on systems belonging to governments, defense and military entities, and numerous private sector companies.
Victims of the campaign are thought to include the US Treasury Department, Department of Homeland Security, Justice Department, State Department, entities from all five branches of the US military, and several Fortune 500 companies. There were reports Thursday that the National Nuclear Security Administration and the Energy Department had also been breached in the campaign.
The breathtaking scope of this incident and remarkable stealth with which it was executed have sparked considerable worry about the level of access the attackers may still have on target networks.
With details around the attack still emerging, it is far too early to say with certainty what organizations should learn from the whole incident. Read on to learn five immediate issues the attacks have highlighted so far.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024