A supply chain attack has trojanized SolarWinds Orion via regular software updates in order to laterally distribute malware that is being referred to as SUNBURST. Here are the top six need to know questions and answers that IT managers, CISOs, CIOs, MSPs or anyone else who is concerned about the security of their network should know.
What happened during the SolarWinds attack? An attack by criminals believed to be associated with Russian intelligence agencies has used a SolarWinds Orion software update as an entry point to infiltrate some of the US’s largest companies and governmental agencies. Although forensic experts suggest the change in source code took place as early as Spring of 2020, there is no definitive evidence of when hackers actually flipped trusted software into malicious code, thus compromising some systems for months.
This cyber attack also has significant implications for anyone responsible for managing a computer network — including every small to medium business (SMB), mid sized commercial enterprises, and every state, local and municipal governmental entity.
According to the Solarwinds Security Advisory, there were two very distinct attacks:
- SUPERNOVA is malware that is separately placed on a server that acquires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.
- The SUPERNOVA malware consisted of two components.
- The first was a malicious, unsigned webshell .dll “app_web_logoimagehandler.ashx.b6031896.dll” specifically written to be used on the SolarWinds Orion Platform.
- The second is the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. This vulnerability in the Orion Platform has been resolved in Solarwinds’ latest updates but this patch will not necessarily eliminate further breaches based on the initial infiltrations. Hackers can use the confidential information, likely even credentials, already obtained to launch future attacks.
What makes this attack different? The SolarWinds attack has been called a “supply chain attack”. These kinds of attacks are successful because organizations allow attackers access to their network via a “trusted” source that has been infiltrated such as a partner, a supplier, or a trusted vendor of software that you use and likely whitelisted. This is extremely insidious because it means you have not done anything wrong — rather, someone you have always trusted is the cause of the problem. Detecting these types of attacks becomes extremely difficult for IT Teams and typically requires multiple layers of security, especially those focused on detecting intrusions and behavioral anomalies.
Is my organization at a higher risk due to this attack? This type of attack is much more sophisticated than your average bad actor. Every commercial business, federal, state and local governmental agency including municipalities and other local governments, government contractors, schools, universities, financial advisers, financial intermediaries, law firms, accounting firms, other professional firms, health care organizations, pharma companies, hospitality businesses, retail establishments, transportation companies, manufacturers, technology companies — essentially all US businesses, not-for-profits, and governments are at risk.
Does this increase the risk of Ransomware? Yes. These types of attacks no longer have to rely on subverting one of your employees into downloading malicious software onto their personal computer, smartphone, tablet or other device. Now, the criminals have gained access directly into your network infrastructure without having to take that initial step. Even though the initial Solarwinds breach mostly affected enterprise networks, that does not mean mid-market is being ignored by the cybercriminals.
- Smaller organizations typically have immature security strategies in place which makes it even easier to infiltrate.
- Smaller businesses also have similar “Trusted” Services, which hackers can compromise and then easily access similar backdoors into the network.
- Many attacks are done to perform what’s called Credential Harvesting, which occurs when bad actors collect username & passwords to launch future attacks.
How can I assess my current cybersecurity posture? You might ask: “What if I have cybersecurity protection in the form of an excellent firewall, proper antivirus, email security and a quality endpoint solution; am I protected?” Unfortunately, no — although in the past there has been some belief that this combination of cybersecurity solutions would reasonably protect a small to midsize businesses or local government from ransomware, it is clear now with the SolarWinds hack and the related infiltration of other large vendors of software and other products, a security posture that focuses just on protecting the network endpoints (such as laptops, desktops, mobile phones, tablets and servers) will not be successful in detecting and thwarting these types of attacks — because the hackers can bypass these endpoints and directly enter your network’s servers and other infrastructure. Also, these security layers all provide logs and events which need to be monitored in near real-time in order to effectively stop an attack. If no one is actively and thoroughly monitoring 24/7, then the likelihood of a successful attack is very high.
What steps should IT be taking to provide reasonable defense? Based on all the above, you might ask the question: “Does this mean it is no longer economically feasible for a small to midsize businesses or local government to protect its network using reasonable cyber security tools and solutions?” No, that is not what it means. Rather, what this indicates is that a somewhat different approach to cybersecurity is needed.
Since Supply Chain attacks such as Solarwinds can use attack vectors that are directly in your network, we recommend reviewing the following checklist:
☐ Perform security vulnerability assessments regularly
☐ Implement Network traffic monitoring including intrusion detection systems and intrusion prevention systems (IDS/IPS)
☐ Lateral and internal network traffic monitoring including deceptive threat detection
☐ Implement and Monitor a Security Information Event Management system (SIEM), which centralizes log collection across multiple devices
☐ Run a scan for exposed credentials being sold on the Dark Web
☐ 24/7 near real-time monitoring of all security layers
This checklist may sound expensive and resource intensive. However, with the right security partner, it is achievable even for SMBs to accomplish a level of security maturity at a reasonable investment especially in comparison to the total cost of a data breach.
The SolarWinds attack is still an ongoing investigation. The severity and number of networks impacted will continue to expand. Currently over 18,000 customers were directly impacted and over 250 networks already accessed by hackers.
Due to the lateral spread of this type of attack, regardless whether you use SolarWinds products, the results of this breach should bring cybersecurity efforts to the top of your priority list. With attacks taking longer to identify and contain, we are expecting to see a spike in the cost of a breach.
Now more than ever, it is crucial to actively monitor alerts provided by technology that detects known vulnerabilities as well as advanced heuristics and deep packet inspection to detect anomalous activity.
As a first step, we encourage all organizations to take advantage of our complementary vulnerability scan. This will help your IT team prioritize and mediate gaps in your security posture. This complimentary scan is only valid to the first 25 qualified organizations who complete this request.