As the scale of the compromise of SolarWinds’ Orion platform – which is so far known to have struck multiple US government departments and cyber security firm FireEye – continues to grow, security teams at thousands of other SolarWinds customers are on high alert.
The supply chain attack, dubbed Sunburst, involved the insertion of malicious code into Orion, giving the attacker a foothold in the network that they use to obtain elevated credentials, which in turn means they can gain access to more data and largely do as they please. The initial backdoor seems to have been distributed via legitimate automatic update platforms since March 2020.
At the time of writing, it affects SolarWinds’ Orion Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix, or 2020.2 HF 1 and hence a number of SolarWinds network monitoring products dependent on those – a full list is available from SolarWinds, while Microsoft has also published extensive guidance.
Although attribution is an uncertain science at the best of times, based on current information, the compromise was probably carried out by the Russian-state backed APT29 group, aka Cozy Bear, which has conducted a years-long campaign of cyber espionage against western targets including, perhaps most famously, the Democratic National Committee (DNC).
Kim Peretti, a former prosecutor at the US Department of Justice (DoJ) and now co-chair of the Cybersecurity Preparedness and Response Team and National Security and Digital Crimes Team at law firm Alston & Bird, described the attack as without parallel in cyber security history.
“We are only at the beginning stages of understanding the impact of this attack and may not know the true impact for many months, if ever,” she said. “It was perfect timing for a perfect storm given the contemporaneous timing of the malicious updates with the onset of Covid-19 restrictions in the US.
“The adversaries used the stealthiest of technical measures – such as a two-week dormancy, steganography, masquerading as legitimate activity, minimising malware use – to gain access and maintain persistence in the victims’ environment. This attack involved an A-plus game of a truly unprecedented nature.”
‘Cold, logical, rational’
The state-based nature of the attack may provide a quantum of solace to SolarWinds users at organisatons that are less likely to find themselves in the crosshairs of international geopolitics, but even so, with upwards of 18,000 potential victims, many of them Fortune 500 organisations, there is scope for the breach to widen dramatically, and it almost certainly will. So how should you react?
Sam Curry, chief security officer at Cybereason, said the sheer scale of the incident, which is already being compared in some quarters to the 2017 WannaCry incidents, demanded a “cold, logical, rational” response.
“In general, now is not the time for security experts to panic,” said Curry. “A practical and measured response is advised. If SolarWinds is being used in your organisation, strengthen your security posture as follows:
“Isolate machines running SolarWinds until further information is available as the investigation unfolds; reimage impacted machines; reset credentials for accounts that have access to SolarWinds machines; and upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.
“In addition, set up a task force to look through all data logs, check the hygiene of systems and make sure everyone is generally on high alert for future attacks. Ensure your company is always on the hunt for adversaries. The sooner you do these things, the sooner you can assume no one is lurking in your network in silent mode.”
Joe Slowik, senior security researcher at DomainTools, said the campaign was a “uniquely distressing” intrusion with implications for multiple verticals.
“The ubiquity of SolarWinds in large networks, combined with the potentially long dwell time of intrusions facilitated by this compromise, means victims of this campaign need not only recover their SolarWinds instance, but may need to perform widespread password resets, device recovery, and similar restoration activity to completely evict an intruder,” he said.
“While this is concerning and unfortunate for the present circumstances, future supply chain attacks – as this will not be the last such incident to impact network defenders and operators – can be met with and detected by aggressive NSM and communication visibility.”
Slowik added: “So long as even the most complex backdoor or implant requires communication to, or instructions from, a controlling entity, defenders have opportunities to detect and disrupt operations. Through continuous monitoring of network traffic and an understanding of what hosts are communicating, defenders can leverage attacker weaknesses and dependencies to overcome these otherwise daunting challenges.”
Third-party risk: hard to assess, but not impossible
Unfortunately for security teams at SolarWinds users, the very nature of a supply chain attack serves to highlight the lack of control that you really have over organisational security, and how easy it is to fall victim to an incident that, for all your careful preparation and attention to detail, you cannot avoid – simply because running security at SolarWinds is not within your gift, as Piers Wilson, head of product management at Australian SIEM specialist Huntsman Security pointed out.
“Many organisations have fortified their own cyber security defences, but as we have seen, a single partner or supplier being breached can undermine any positive action already taken,” he said. “The fact that a supplier was so successfully breached, putting core US government organisations at risk, highlights the huge importance of a secure supply chain.”
Wilson advocated that defenders should adopt a “holistic” approach to security, purely because having the latest and greatest solutions in place is only a partial defence if your suppliers experience a failure.
“Businesses often carry out due diligence on the financial viability of core partners to ensure they are not a risk,” he said. “The same has to be true for cyber security. Regular assessment or monitoring of all partners’ and suppliers’ cyber security practices must become commonplace, alongside a robust cyber security program to minimise the risk of falling victim to similar attacks.”
CyberGRX CISO Dave Stapleton said: “These continued attacks amplify the need for enterprises to blend social responsibility into risk management practices. Consider this: it is possible that none of your direct vendors use SolarWinds, but it is entirely likely that one of their critical third parties does, which would still leave your company at risk of outages or compromise.
“It’s very easy to become a victim of circumstance. It’s easy to be inundated by third parties and not be able to keep track of how they manage and protect their networks, or even how they characterise their risks – everyone does it differently and has different measurement criteria. Also, technology has only escalated the problem with the adoption of the cloud and a newly accelerated digital transformation.
“Most third parties try their best to report what they know about their networks to their larger enterprise partners, but gaps in knowledge, shortfalls in monitoring abilities, or lack in updated infrastructure and process tracking often end up introducing vulnerabilities.
“It’s as if they need to be walked through the process of reporting to make sure they don’t make any mis-steps. This can be accomplished, but it requires assessment based on multiple techniques, including self-assessment, external scanning, technology-led questionnaires, threat feed monitoring, and more.”