A CISO's Perspective - SolarWinds Hack and Mitigation Measures

SolarWinds Hack and Mitigation Measures

Supply chain compromise is one of the growing cybersecurity problems where adversaries manipulate product delivery mechanisms to compromise the targeted system/organizations.

On December 13, 2020, we saw one of the most potentially damaging supply chain attacks in recent years. A highly evasive intrusion campaign was found to leverage the SolarWinds supply chain to gain access to numerous public and private organizations around the world.

The compromise is a serious cyberattack on the United States, its government, and other critical institutions, proving that the cyberthreat landscape has greatly evolved and has become even more dangerous.

The gravity of this attack is enormous as SolarWinds’ products and services are used by more than 300,000 customers around the world, including

·     More than 425 of the U.S. Fortune 500

·     All ten of the top ten U.S. telecommunications companies

·     All five branches of the U.S. Military

·     The U.S. Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States

·     All five of the top five U.S. accounting firms

·     Hundreds of universities and colleges worldwide

In this attack, cybercriminals covertly deployed SUNBURST/Solorigate backdoor to SolarWind’s Orion IT monitoring and management software, allowing them to gain access to an organization’s network traffic management systems.

According to the report, trojanzied updates that were released on SolarWinds websites were digitally signed from March-May 2020. This indicates that the attacker gained access to the SolarWinds’ software development pipeline.

The trojan was distributed back in March and discovered in December means that the cybercriminals have been silently operating inside the critical systems, harvesting information and performing a malicious activity such as network reconnaissance, privilege escalation, and lateral movement.

The attackers associated with this level of attack are not ordinary but sophisticated. SolarWinds claimed that “this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.” FireEye attributes this attack campaign to UNC2452, while a cybersecurity firm Volexity linked it to the Dark Halo.

In response to the attack discovery, the CISA-DHS issued emergency directives stating, “this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”

The number of customers that may have installed the vulnerable version of Orion products is expected to be fewer than 18,000. Some organizations affected by this attack include

·     FireEye

·     U.S. Department of the Treasury

·     U.S. National Telecommunications and Information Administration (NTIA)

·     U.S. Department of State 

·     The National Institutes of Health (NIH) (Part of the U.S. Department of Health)

·     U.S. Department of Homeland Security (DHS)

·     U.S. Department of Energy (DOE)

·     U.S. National Nuclear Security Administration (NNSA)

·     Microsoft

·     Cisco

The SolarWinds attack is not a usual attack on a specific organization, but an attack on trust and reliability. The attack is remarkable for its scope, sophistication, and impact. It is a reminder that virtually every country is at risk and needs very strong protection measures.

The attack is still being investigated by cybersecurity groups in the public and private sectors to identify the full extent of the compromise.

Recommended Action Plan

If your organization is still using the affected version of the SolarWinds, then assume that you are already compromised, and the device is completely under attackers’ control. In this situation, you need to activate a full incident response plan and comprehensively audit on-premises and cloud environments. Some action items include

·     Immediately disconnect the affected devices and block all the traffic to and from the devices.

·     Audit configurational changes such as users and applications settings, forwarding rules, etc.

·     Review user and application access, remove excessive access and re-issue a new one.

·     Consider all the user accounts as compromised. Reset all credentials and ensure that the strong credentials are used in accordance with the security best practices.

·     Perform indicator of compromise (IoCs) lookup to find any instances of compromise, then carry-out a threat hunting and forensic analysis to find more details on the compromise and indication of lateral movements.

·     Check for new and unknown tools that attackers might have dropped to carry out different activities such as, privilege escalation, account manipulation, lateral movement, network discovery, etc.

·     Rebuild affected devices using trusted SolarWinds sources.

·     Conduct a risk assessment to assess the impact of reintroducing the SolarWinds Orion Platform into production environments.

Even if your organization has not been compromised, it is recommended to carry out the following actions if you use SolarWinds products.

·     Ensure the latest versions of SolarWinds Orion Platform is installed.

·     Ensure that all known IoCs are included in the block list.

·     Run up-to-date EDR and antivirus solutions in your infrastructure to detect SolarWinds compromised libraries, if any.

·     Apply the principle of Least Privilege to all systems and services. Restrict users’ permissions to install and run applications.

·     Disable/remove unnecessary services and applications.

·     Apply proper segmentation control on the network where you have SolarWinds software.

·     Ensure all accounts follow best practices, especially user accounts with administrative rights.

·     Monitor SolarWinds logs using SIEM tools.

·     Moreover, follow security best practices from SolarWinds.

What did I miss?