As the list of known organizations compromised by way of the SolarWinds supply chain attack is slowly growing – according to Reuters, the attackers also breached U.S. Department of Homeland Security’s systems, the State Department, and the National Institutes of Health – Microsoft has decided that its Defender Antivirus will start blocking/quarantining the known malicious SolarWinds binaries today – even if the process is running.
Some companies are about to find out they actually do use SolarWinds in production… https://t.co/eQhOoPUDF8
— Yoshi (@ChicagoCyber) December 15, 2020
SolarWinds hackers’ many capabilities
As security researcher Vinoth Kumar pointed out, the attackers might have easily compromised the company’s update server by using a password that was published on their public Github repository for over a year or, as several Reuters sources noted, they might have bought access to SolarWinds’ computers through underground forums.
We’re likely still far from getting concrete information about how the attackers actually got into SolarWinds’ systems, but the company’s recent report to the U.S. Securities and Exchange Commission seems to point to Microsoft Office 365 account compromise as the initial vector.
On that note: Volexity researchers say that the SolarWinds hackers – a threat actor they named Dark Halo – have repeatedly compromised a U.S.-based think tank all through 2019 and 2020, and have demonstrated a wide variety of sophisticated capabilities.
“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization’s Microsoft Exchange Control Panel,” they shared.
“Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020.”
The picture they paint points to sophisticated attackers, who “displayed a reasonable level of operational security throughout the attack, taking steps to wipe logs for various services used and to remove evidence of their commands from infected systems.”
Despite many unnamed sources fingering Russian hacking group APT 29 (aka CozyBear) for the breach, Volexity noted that they “discovered no hints as to the attacker’s origin or any links to any publicly known threat actor.”
What should possible and confirmed targets do?
SolarWinds has updated its security advisory and released a FAQ to say that:
- Only its Orion Platform was compromised by the attackers, and only specific versions (released between March and June 2020)
- There are 18,000 customers potentially affected by this security vulnerability (i.e., that’s the number of customers who downloaded the booby-trapped Orion versions)
The company has provided advice on what organizations should do to check whether they are among those that have been compromised and what to do if they find out they have.
It’s good to note here that, while many organizations have apparently downloaded the malicious Orion versions and were saddled with the Sunburst backdoor, the attackers might have not used that access to rifle through their systems. From the information currently available, the attackers concentrated on a limited number of specific targets.
Microsoft and industry partners have taken over and sinkholed a domain that the Sunburst malware would contact to received further instructions, so they will be able to create a partial list of compromised organizations and notify them.
SolarWinds has provided clean updates for the Orion platform and guidelines on what organizations can do if they can’t perform the update. The DHS, FireEye, Volexity and Microsoft have provided additional advice and IoCs.
The security teams of organizations using the Orion platform have a lot of work ahead of them: they have to perform a thorough check of all their systems, networks and assets, all the while hoping that they weren’t singled out by the attackers for thorough compromise (or by other attackers whose presence they missed before!)
UPDATE (December 16, 2020, 11:00 a.m. PT):
Duo Security got in touch to point out that the incident described by Volexity that involved Duo’s integration for the Outlook Web Application (OWA) was not due to any vulnerability in Duo’s products.
“Rather, the post details an attacker that achieved privileged access to integration credentials, that are integral for the management of the Duo service, from within an existing compromised customer environment, such as an email server,” the company spokesperson explained.
“In order to reduce the likelihood of such an event, it is critical to protect integration secrets from exposure within an organization and to rotate secrets if compromise is suspected. Compromise of a service that is integrated with an MFA provider can result in disclosure of integration secrets along with potential access to a system and data that MFA protects.”