On December 13, 2020, SolarWinds announced it was the victim of a cyberattack to its systems that inserted a vulnerability (SUNBURST) within their Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with the goal of being able to attack subsequent users of the software. Known victims so far include the US Treasury, the US NTIA, and FireEye. The total number of victims has not yet been released. In this case, SolarWinds describes that the code was intended to be used in a targeted way as its exploitation requires manual intervention. SolarWinds has also announced the attackers are believed to be acting on behalf of a foreign government, but they have not verified the identity of the attacker.
Why did this happen?
Nation-state actors often leverage supply chain vulnerabilities to get footholds into several enterprise accounts to further breach a larger set of customers with the intent of stealing data. We don’t have all the details on the intent yet.
What are they doing to remediate?
SolarWinds investigations and remediation efforts for these matters are early and ongoing. They are currently coordinating with security experts and organizations, the Federal Bureau of Investigation, the intelligence community, and other government agencies and law enforcement organizations to investigate these matters. As such, they are limited as to what they can share at this time. SolarWinds has made assurances that they will continue to engage and provide their customers with world-class support through this situation.
What could have been done to prevent this?
This was a nation-state, advanced attack, so unfortunately not a lot. The key to a successful security strategy is understanding that it’s not a matter of ‘if’, but ‘when’. The key is to implement the proper tools and processes so that your organization can react quickly. Without such tools, SolarWinds would lack the visibility or history needed to hunt for these threats once the Indicators of Compromise have been identified. With that visibility and tooling in place, once these items are known, customers who had them would be able to react in real-time.
What happens now?
SolarWinds was the ingestion point, but their Orion® Platform users were the true victims. SolarWinds has patched its software, but that doesn’t mean other backdoors haven’t been established. At this time, we don’t know if the attackers have established other backdoors in customer environments, so vigilant detection and investigation is critical.
What can I do to learn more?
SolarWinds has published, and continues to update, the following resources that provide the most up-to-date information:
Microsoft has also developed resources with the goal of enabling the broader security community to hunt for activity in their networks and contribute to a shared defense against this sophisticated threat actor. This post contains technical details about the methods of the actor Microsoft believes was involved in recent nation-state cyber-attacks.
How can Netrix help?
If you are unsure if you’ve been exposed to this supply chain attack, or you’re concerned about your security posture in general, Netrix can help by identifying if you’ve had any suspicious activity in your environment. With Netrix’s threat hunting engagements, we deploy market-leading tools in your network to identify if you have any suspicious activity and what part of your network was vulnerable. We can also conduct risk-based security assessments that provide a clear picture of any gaps in your security resources, processes, or technologies.
It’s important to understand that security is a mindset that requires 24x7x365 attention. If you’re relying on point-in-time configured software, you’re leaving yourself vulnerable to attack. Building a team that has the expertise necessary and can be responsible for 24x7x365 monitoring of your environment is expensive, yet without one, you are left exposed to the inevitable. Netrix can provide managed security services for perimeter, application, and endpoint security that are delivered by a team of certified engineers organized in a follow-the-sun model.
No matter what your security challenge is, Netrix has a robust portfolio of offerings to solve it and a team of security experts ready to help. Contact us today.