By Derrick Rice and Eric Geving
What do we know?
The recent news of the SolarWinds Orion hack and its ever-growing list of impacted clients is unlike any hack within recent history. The SolarWinds Orion client base of 300,000+ users combined with the deep level of permissions given to its network monitoring platform, mean the scope of the SolarWinds Orion Platform hack will take years to be fully quantified.
Unlike in other high-profile attacks, including most recently Equifax and Marriott International, social security numbers or credit card numbers were not the target. The intent of the attack on SolarWinds wasn’t to exfiltrate sensitive information but to infiltrate organizations that use the platform. This breach was made possible through the use of a “supply chain attack.”
What is a supply chain attack?
This supply chain attack leveraged the SolarWinds Orion update tool to push compromised software packages out to clients. Once a compromised update package was installed within a client’s infrastructure, the attackers could use it as a backdoor into the network and leverage the elevated permissions granted to the software. Clients who used SolarWinds Orion and updated their product to an affected version, are susceptible to this attack (known as SUNBURST), and it should be assumed these organizations were compromised.
Who is behind the attack?
The SolarWinds hack was a global intrusion campaign reported to be carried out by hackers from the Foreign Intelligence Service of the Russian Federation (or SVR RF). This campaign may have begun as early as Spring 2020 and is currently ongoing. Post-compromise activity following this supply chain attack has included lateral movement throughout infrastructure and systems and theft of sensitive data.
What is being done?
SolarWinds has released version 2020.2.1 HF 1, which includes security enhancements to fix the vulnerability in the affected versions. Even with the enhancements, organizations should consider rebuilding their SolarWinds Orion environment from scratch. Patching affected systems may leave behind backdoors, which could still be utilized by attackers via alternate means.
What should my organization do?
If your organization is still running a compromised version found here, you should ensure that SolarWinds servers are immediately isolated from the rest of your infrastructure. In addition, a comprehensive forensic investigation should occur and passwords for elevated accounts, especially those having access to SolarWinds Orion servers and infrastructure, should be changed. It is important to note that, through lateral movement, other systems and accounts may have been compromised, and forensic investigations should not solely be focused on SolarWinds Orion systems and accounts.
What can we do to be prepared for other attacks?
Even though some of the most diligent organizations have fallen victim to this supply chain attack, it is important that we continue mitigate some of the most common risks and focus on good cyber hygiene, including:
- Default Accounts – Identifying and changing default passwords for pre-installed accounts should be one of the first steps taken when implementing a new software or service. These passwords are often simple and easy to guess and should be replaced to meet existing organizational password standards. Any pre-installed accounts that are not necessary for ongoing application or service maintenance should be disabled.
- Password Strength & Security – Passwords should be required to fit strong organizational standards to limit the probability of a bad actor obtaining access via common password-guessing methods. Standards should require usage of letters and numbers, as well as special characters. Password expiration and rotation practices can serve to limit risk associated with passwords being compromised.
- Access Reviews – Account access should be regularly reviewed to confirm that access to sensitive areas remains appropriate. Limiting account privileges on an as-needed basis can reduce the opportunities for a bad actor to gain privileged access. Access controls should be built to include review of user provisioning instances and termination protocols.
If your organization is hacked or infiltrated, being able to identify and respond to indicators of compromise is key to protecting your organization from being the next headline. As attacks progress, these indicators can provide information that could tip-off security personnel to behaviors that are out of the ordinary and cause for investigation. Some of these capabilities include:
- Monitoring Account Behavior – Be on the lookout for anomalous account activity. Should accounts be connecting to systems outside of normal business hours? Are accounts connecting to multiple systems at a time or systems that aren’t typically a part of the account’s purpose? These situations could be cause for further investigation.
- Baselining traffic – Knowing what types of network traffic are “normal” could help your organization identify situations that are suspicious. For example, if you understand what ports or protocols, connections to external IP addresses, amounts of data exchange, and connection types and durations are seen day-to-day, conditions outside the norm could be investigated.
Ensure your systems are logging activity and access with the right amount of verbosity, which include information such as time of day, source and destination IP address, account used and action performed. Utilizing these audit logs and a Security Information and Event Management (SIEM) tool can alert and aid your personnel in investigating activity and eradicating threats in timely manner.
This historic hack will continue to be investigated. In an article on January 7th, the Wall Street Journal reported that the Department of Homeland Security cybersecurity group was continuing to explore the situation to understand other methods of intrusion that may also have been utilized. As the investigation into this attack continues, we will gain a better understanding of its far-reaching impact.
Derrick Rice CISSP, CISA, QSA is a Director in Frazier & Deeter’s Process, Risk & Governance Practice, where he focuses on information and technology systems management, design, security and support. Derrick provides subject matter expertise and manages the delivery of various security assessments, including PCI, HITRUST and HIPAA.
Eric Geving is an Associate in the Process, Risk & Governance practice at Frazier & Deeter.