Anatomy of a hack – Solar Winds Orion

Nation State hacks major IS Software vender

by James Gorman, CISO, Authx

SolarWinds is one of the biggest names in IT support – and now one of the most notorious.  The leading information security vendor provides a variety of solutions to government agencies and private firms across the world. And within the past few days, they revealed that somewhere between 18,000 and 33,000 of those customers have been running a breached version (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1) of SolarWinds Orion software.

The cyber attacker in question is likely a nation-state, as indicated in Microsoft’s Threat Intelligence Center’s release. The process they appear to have been following in this series of supply-chain hacks goes something like this:

  • The hacker succeeds in compromising the update process for SolarWinds and embedding a Trojan Horse in order to gain administrative access to the network.
  • After acquiring administrative access, the intruder uses a lateral attack to gain access to the organization’s certificate signing-credentials. The attacker can now generate seemingly authentic credentials – thus enabling them to continue to move throughout the organization.
  • These apparently valid credentials prevent most alerts that would normally flag unusual login failures. The attacker now has the opportunity to then take stock of what else they can access in the organization, including both on-premises and cloud-based materials.
  • Once the attacker has access to a global account or its trusted certificate, they use it to impersonate the admin. This ability is powerful; the attacker now essentially holds the keys to the kingdom. With this new access, the hacker can create new global admins, add them to existing services, and/or develop new services and then pursue obtaining API access to the organization.

Now imagine this process happening to thousands of SolarWinds customers – including some extremely powerful organizations and government agencies. According to reports, once this particular hacker has gained access to the global administrator of a company, they have been keeping the malicious programs, or malware, to a minimum. Instead, they tend to use remote access to move through the enterprises and take over code repositories, trade secrets, MS Office 360, Azure Active Directory – essentially every system that relies on federated access and authentication.

The list of organizations hacked by this attacker keeps growing. It includes many predictable targets for a nation-state actor – such as the US State Department, Pentagon, Department of Homeland Security, National institute of Health and others, as well as many private firms. While many of the known targets are the “big guys”, it’s safe to assume that if you use SolarWinds Orion your organization’s information may be compromised.

If you fall into that category, the wisest course of action is to proceed as if you were compromised. Take it offline, upgrade and contact SolarWinds.

You can reach them at: https://www.solarwinds.com/securityadvisory.

The lesson from this series of high-profile attacks is that you can do everything right and still be compromised. You can have anti-malware tools running, login restrictions on sensitive systems, failure monitoring – all the things you would do in a traditional in-depth defense environment. But because a) you trusted your supply chain and b) one of the largest and most trusted names in network monitoring and management happened to be breached your organization is now vulnerable and likely infiltrated.

At this point, all you can do is mitigate and minimize the damage done. Some hackers are very, very good and your security is only as effective as the weakest link in your supply chain. These cyber-attacks prove that even one of your largest and most trusted IT suppliers could be the reason that your company/ agency is compromised. To prevent this vulnerability moving forward, you need to trust and verify each element of your security supply chain.  While we still do not know how the development/release system at SolarWinds was compromised – I for one am fascinated to learn how it happened – we can still learn from the incident and take measures to proactively prevent similar breaches. There are certain practices that could have mitigated or limited the damage due to the internal spread of this particular hack, had they been in place.

Some of these recommendations include –

  • Update your software frequently. This is still the best way to keep known vulnerabilities at bay. Don’t let this supply chain hack scare you into not keeping your systems up to date. Follow one of the most basic principles in cybersecurity, which is: “patch your systems.”
  • Use antivirus systems that update quickly to mitigate this type of attack.
  • Monitor your network and systems for anomalous behavior. Look for multiple power shell access to Active Directory from the same machine – especially privileged sign ins.
  • Look for adds to your federated services. Use best practices for securing your AD FS services.
  • Use whitelists for access to your sensitive network segments. Block outbound traffic, except for what is needed for vital business processes on your trust segments. This blocks the Trojans’ access to its home Command and Control (C2) servers where the hackers then get access to your environment.
  • Use hardware-based tokens (HSMs) for SAML signatures.
  • Alert and verify as authorized new access credentials on OAuth applications.
  • Reduce attack surface by removing applications and service principals that are not needed on your systems. Make sure you are logging the service principal access and look for anomalies.
  • Use multifactor authentication with biometric factors for all logins.

These days, it’s impossible to be too careful when it comes to cybersecurity. If you want to get started now on securing your organization against this type of attack, Authx, a multifactor authentication mechanism with biometrics, offers a prime example of verification methods to determine who actually has access to your systems. Its products use biometrics including face, finger, palm or one-time pad to give additional validity to the user access experience. Authx’s offerings, combined with best practices described above, would have limited the ability for lateral movement and the persistence of this imposter credential attacks – and most others that could come your way.

You can find more information at https://authx.com.

About the Author

James Gorman CISO, Authx

James Gorman AuthorJames is a solutions-driven, results-focused technologist and entrepreneur with experience securing, designing, building, deploying and maintaining large-scale, mission-critical applications and networks. Over the last 15 years he has lead teams through multiple NIST, ISO, PCI, and HITRUST compliance audits. As a consultant, he has helped multiple companies formulate their strategy for compliance and infrastructure scalability. His previous leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations, Founder & Principal Consultant, Vice President and CEO at companies such as GE, Epoch Internet, NETtel, Cable and Wireless, SecureNet, and Transaction Network Services.

James can be reached online at james@authx.com and at LinkedIn at https://www.linkedin.com/in/jamesgorman/ and at our company website https://authx.com

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW