About one of the biggest hacks in history
In December of 2020, a prominent hacker group had been discovered and accused of creating a “backdoor” in SolarWinds software earlier in the year which had compromised around 18,000 customers total. The hack was a type of supply-chain attack where SolarWinds had its code base exploited with malicious code which called out to attacker-controlled servers in Russia. The code was then pushed out as software updates between March and June of 2020 to all of its customers, thus infecting everyone who used the software at this time. This included US government agencies, the Military, Pentagon, State Department, top telecommunication companies, the big 5 US accounting firms and many more.
The breach was originally discovered by the giant incident response firm FireEye who works with many government agencies and enterprise corporations. FireEye discovered they had been breached themselves and traced it back to compromised SolarWinds software within their own network. They discovered that the hacking group had accessed their “red team” tools repository and stolen the tools for malicious use. These tools are commonly used by FireEye in client-engagements in order to perform simulated hacking scenarios, aka red team engagements, similar to the one that occurred on them (albeit by real attackers).
FireEye, being the responsible Incident Response company that they are, immediately responded to the breach with an investigation into the Who, What, Where and When of the attack on their own network. Once determining the source of the backdoor in the SolarWinds Orion product, this likely set off a much larger investigation into all of the agencies and companies which utilize the same SolarWinds software and were therefore compromised, including 425 of 500 Fortune 500 companies in the US.
Why does it matter?
The SolarWinds breach was like no other of its kind. The company, based out of Texas, has thousands of customers throughout the world and has established themselves as a trusted advisor to governments and large corporations for many years. The breach itself is almost endless in scale due to the implementation and usage of the compromised SolarWinds product and code across many organizations. This makes it one of the most powerful and successful hacks in history. Period.
FireEye had established that the breach largely impacted about 50 companies who had confidential data and critical assets breached. The details and breadth or depth of the attacks on their infrastructure and networks are still largely unknown and being investigated. It will take months or even years of investigation to truly determine what type of information was stolen for each company affected. In the meantime, hackers are likely abusing the stolen red team tools and browsing through troves of confidential data to plan future attacks on critical infrastructure.
The attack was also so powerful due to the nature of supply-chain attacks. Hackers had to target only one trusted software application to inject their malicious code into. Due to the software’s implementation and ubiquity amongst government agencies and large corporations, anyone who used that software during that time had also been compromised and affected by the hack.
Large investigations have been ongoing by cybersecurity firms, the NSA, FBI, CISA and many more agencies to get to the bottom of the attack and to better understand its impact within the critical infrastructure and confidential data that was breached. It also increases tensions even more between an already fragile US and Russian geopolitical relationship.
What can you do about it?
Now is a time more than ever to increase cybersecurity awareness. Here are a few things to look at as an organization but by no means is this an exhaustive list. See resources at the end of this article for more information.
Employee Awareness
Train employees to increase awareness and help prevent attacks. Providing employee awareness and training also gives your employees confidence that their data (ie HR Data) is secured within the organization. Increase budgets to implement stronger security measures and protocols for example MFA with Microsoft 365 to strengthen your security posture. Also, utilize application security best practices including here and here, and patch your systems and applications!
Make AppSec Part of Development Process
If you are creating or development mobile apps, web apps, APIs, internal line of business applications this is something that is always overlooked.
Applications exposed to the internet and internal attackers on networks are frequently being targeted with new exploits being released on a daily basis. Bad actors are so highly skilled and stealthy that you may not even know you’ve already been breached.
Security measures must be taken to routinely implement security into the DevOps process or DevSecOps. Your pull request process and CI/CD pipelines should automate code scanning of any third party libraries and you should have eyes looking at the code going into the source code. Here is a screenshot of the SolarWinds source that compromises systems and as you can see it’s code that was added that spins off a thread and just swallows exceptions.
For a technical breakdown see the article by Microsoft Threat Intelligence Center called Analyzing Solorigate, the compromised DLL file that started a sophisticated cyber attack, and how Microsoft Defender helps protect customers.
Whether that be performing pentesting, vulnerability assessments, threat hunting, code scanning, threat modeling or many of the other application security best practices consistently recommended by experts.
What’s Next?
The number of attackers versus defenders is gradually increasing and creating a bigger delta in separation of skill and knowledge over the years. Hackers are only getting stronger and increasing in numbers as cybersecurity awareness slowly becomes more pervasive and mainstream. It seems like every week a new hack or breach is released to the public by some large company which immediately sees their reputation and stock price plunging.
It is all of our jobs to help prevent these risks and keep everyone and their data safer. The stakes of cybersecurity breaches and the impending fallout of their risk and impact are only becoming greater. If you need some help, chat with us today about our application pentesting and azure security assessment services today.
SolarWinds Hack Resources
Below is a list of resources we have put together dealing with the SolarWinds breach for reference and for further research and education. Microsoft is also keeping a Solorigate Resource Center post and updating as new information is found, it’s a big topic and investigations are on going.
Tools
- FireEye RedTeam Tool Countermeasures
- SolarWinds Post-Compromise Hunting with Azure Sentinel
- UsingMicrosoft 365 Defender to protect against Solorigate
- CrowdStrike Reporting Tool for Azure(CRT)
- CISA Cloud Forensics Powershell Script Sparrow
SolarWinds
FireEye
- FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
- Unauthorized Access of FireEye Red Team Tools
- Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Microsoft
- Important steps for customers to protect themselves from recent nation-state cyberattacks
- A moment of reckoning: the need for a strong and global cybersecurity response
- Ensuring customers are protected from Solorigate
- Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
- Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP andRaindrop
- Protecting Microsoft 365 from on-premises attacks
- Guidance for partners on recent nation-state cyberattacks
.png){kind=small}
