Skip to main content

SolarWinds hack explained - Everything you need to know

SolarWinds Supply Chain Attack is one of the most sophisticated attacks that adversely affected US agencies and private companies. In fact, it is more likely a global attack.

What is SolarWinds Hack

SolarWinds is an American company that develops software for businesses to help manage their networks and systems. Their products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and educational institutes. Among the company's products is an IT performance monitoring system called Orion.

When FireEye Inc disclosed that they were hacked, they said the attackers were infecting the targets using Orion, a widely used business software app from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye Researchers are calling 'SunBurst'. FireEye researchers wrote, "The victims have included government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East".  . 

Systems Affected by the Attack

  • SolarWinds Orion Platform version 2019.4 HF 5
  • SolarWinds Orion Platform version 2020.2
  • SolarWinds Orion Platform version 2020.2 HF 1

Attack Type

Researchers confirmed it as a Supply Chain Attack where attackers choose to exploit a third-party vendor's less secure element in the supply chain. They gained access to the systems via trojanized updates to SolarWinds Orion IT monitoring and management software.

Orion software has a vulnerability that could allow authentication bypass. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of URL request, which could allow an attacker to execute unauthenticated API commands. The malware was named 'Sunburst' by FireEye.  

Over 30,000 public and private organizations use the Orion network management system. It has come to notice that more than 17,000 customers have installed the update. Therefore, all those organizations were hacked. SolarWinds customers were not only the ones affected but also hackers who went into their customer's networks

Private companies affected by this attack

On Dec 13, 2020: FireEye said it has been hacked. The attackers have stolen the tools used by FireEye for analyzing the vulnerabilities in the client systems and software. FireEye said that there is no evidence that the tools stolen from FireEye were used against any Government agencies. 

On Dec 17, 2020Microsoft admitted that SolarWinds hackers accessed their source code but there is no evidence that they were able to access production servers or customer data. Microsoft has termed it in the blog that "there were attempted activities beyond just the presence of malicious SolarWinds code in our environment". They continued to see unsuccessful attempts at access by the actor into early January 2021 where the attempts stopped.

At least 24 big companies including tech giants Cisco, VMware, Nvidia, Intel, SAP, Cox Communications, Deloitte, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Digital Reach, Digital Sense, and many more suffered data breach a recent report says.

Crowdstrike a top security firm was noticed by Microsoft that threat actors who had attempted to read the company's emails through compromised Microsoft Azure credentials. However, Crowdstrike says the attempt was ultimately unsuccessful. Malwarebyte a cybersecurity firm also confirmed that the hackers behind the SolarWinds were able to access to gain access to some company emails by exploiting the weakness in Azure Active Directory and abused malicious Office 365 applications.

There are many more top tech companies and US government agencies in the list of SolarWinds clients. FireEye said most of its customers were affected.

US Government agencies affected by the attack

According to Wall Street Journal's Report on Dec 17th,2020. US agencies including the parts of the pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, the US Treasury, and the organizations like California Department of State Hospitals, and Kent State University.

According to reports on March 19,2021. US Department of Justice(DOJ) was hacked. This activity involved access to the Department's Microsoft Office 365 email environment. The threat actors gained access to roughly 3% of the Department's Office 365 email inboxes. The OCIO blocked the method used by the attackers to gain access to the DOJ Office 365 email accounts after learning of this malicious activity.

Since the attack happened stealthily the Wall Street Journal's report says that some victims may never know that they were hacked.


Who is Behind?

Researchers and Cyber experts, looking at the nature of the attack stated that 'Russia's State-Sponsored Hackers are responsible for the hack'. Russian Intelligence was also credited with breaking into the email servers in the White House, the State Department, and the Joint Chiefs of staff in 2014 and 2015.  

US officials stated that the specific groups responsible were probably the SVR(Foreign Intelligence Service of the Russian Federation). The FBI and NSA joined the Cybersecurity and Infrastructure Security Agency and the Officer of Director of National Intelligence on Jan 5 in saying the hack was "likely Russian in origin."

Russia denied the statement regarding the hack and stated that "Malicious activities against foreign states is against Russian's policy". and also said that "Russia does not conduct offensive operations in the cyber domain."

FireEye gave the suspects the placeholder name "UNC2452" or CozyBear. Recently, the US, Uk, and Canada have identified the group as responsible for hacking efforts that tried to access information about COVID-19 vaccine research.

Counter Measures to mitigate and prevent these attacks 

2020 has taught us the importance of Cybersecurity. Lack of Cyber Hygiene is the major vulnerability any organization possesses. 
  • Cybersecurity should also be considered as an important aspect of your firm's meetings and moves.
  • Usage of Strong passwords and multi-factor authentication should be implemented on a mandatory basis.
  • Ensure all staff has annual cybersecurity awareness training.
  • Design an effective incident response plan. 
  • Always keep monitoring for high-risk events such as new account creation, new services created, privilege escalation, modifications in security postures, and disabling of security-related services, and most importantly monitor for unusuality in network traffic.
  • Conduct Vulnerability tests frequently and patch them as soon as possible.
  • Update the current incident management plan on monthly basis to comply with the current threats.
  • Access control and defense-in-depth mechanisms should be implemented according to your organization's level of risk.
  • Sign up for monthly vulnerability scans conducted by DHS for another view of risk from an outsider's perspective and utilize the third party to perform internal vulnerability assessments and penetration testing to provide IT and leadership an unbiased snapshot of the current risks.
  • Maintainance of Physical security plays a major role. ID check, biometrics, and monitoring systems should be examined all the time.






Comments

Post a Comment

Popular posts from this blog

Malware can control Trusted application to perform write operations to protected files

       Malware can use this trick to Bypass Ransomware Defense in Anti-virus Solutions. Reference Link Antivirus software providers are an essential part of cyberthreat defense. They always offer high-level securities against cybercriminals.  Researchers at the University of Luxemburg in collaboration with the Royal Holloway University of London, have found a security weakness in popular software applications. The flaw would have impacted the world's largest antivirus software systems and their customers.  Antivirus's full-time protection task against malware is like a game where malware like spyware, DOS attacks and with malformed packets, and many other malicious attacks try to circumvent the Antivirus's protection. However, Antivirus reacts by complementing signature-based protection and by behavioral analysis. Then again malware comes up with other techniques to hide and vice-versa. This becomes a cut-and-mouse  game.  The first one consists o...
2 comments
Read more