The hackers inserted malicious code into SolarWinds' Orion software updates.

Edward Gately, Senior News Editor

December 17, 2020

8 Min Read
Data Theft Hacker
Shutterstock

The massive SolarWinds cyberattack no doubt will prompt considerable short-term fallout in terms of customers, revenue and reputation.

That’s according to Eric Parizo, senior analyst with Omdia. The SolarWinds cyberattack resulted from a software vulnerability.

The hackers inserted malicious code into SolarWinds‘ Orion software updates sent to nearly 18,000 customers. It existed in updates released between March and June of this year.

This led to security breaches at numerous U.S. government agencies. Those include the Treasury Department, the National Telecommunications and Information Administration (NTIA) and the Department of Homeland Security (DHS). The attacker also breached SolarWinds’ corporate clients.

Emergency Directive

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive. It calls on all federal civilian agencies to review their networks for indicators of compromise. Furthermore, it instructs them to disconnect or power down Orion products immediately.

The Cozy Bear hacking group, which U.S. authorities suggest gets backing from Russian state intelligence, likely performed the SolarWinds cyberattack.

According to FireEye, the intrusion began as early as spring 2020. The security research firm announced Dec. 8 that the crime had impacted some of its customers. FireEye on Sunday released a report detailing the subdomain and malware that the threat actors used. FireEye, which has investigated numerous high-profile data breaches, fell victim to the attack.

Wake-Up Call

Nigel Thorpe is technical director at SecureAge. He said the SolarWinds cyberattack is “totally a wake-up call” for cybersecurity providers.

Thorpe-Nigel_SecureAge.jpg

SecureAge’s Nigel Thorpe

“This incident shows people just how disruptive a well-planned supply chain attack can be,” he said. “These types of attacks are actually quite common and vendors are a frequent jump point for bad actors looking to infiltrate a business’ network. This one was particularly destructive, however, because of how stealthily and precisely it was carried out. That said, I think this put a lot of people on guard moving forward. And the preemptive measures … will only become more prevalent as businesses assess and reassess existing relationships with third-party vendors.”

It’s difficult to say whether the attack could have been prevented, Thorpe said. But it highlights the need to have protocols in place in case one happens.

Experts surmise if the attackers opted to extract huge swaths of data at once to peruse later, they would have likely raised red flags in the government systems, he said.

“They had to remain stealthy and exact, indicating that their approach was more about the quality of data stolen, rather than the quantity,” Thorpe said.

Extremely Targeted Attack

John Pagliuca is president of SolarWinds MSP.

Pagliuca-John_SolarWinds-MSP.jpeg

SolarWinds MSP’s John Pagliuca

“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted and manually executed incident, as apposed to a broad, systemwide attack,” he said. “At this time, we are not aware of an impact to our RMM, N-Central and associated SolarWinds MSP products.”

SolarWinds uses Microsoft 365 for its email and office productivity tools. An attack vector was used to compromise its emails. Furthermore, it may have provided access to other data contained in its office productivity tools.

Both SolarWinds and Microsoft have …

… taken steps to address the compromise.

Ongoing Investigation

SolarWinds has retained third-party cybersecurity experts to assist in an investigation. It’s also cooperating with other vendors, the FBI, the U.S. intelligence community and others in investigations related to this incident.

Eric-Parizo.jpg

Omdia’s Eric Parizo

“Fortunately for the company, studies have proven that the negative impact of a data breach on victim organizations is relatively short-lived,” Parizo said. “I expect the company will bounce back, potentially even stronger, within 12-24 months.”

The biggest takeaway from the SolarWinds cyberattack itself should be the importance of supply chain security, he said.

“The reality in 2020 and for the foreseeable future is that every organization is only as secure as the weakest link in its supply chain,” Parizo said. “As SolarWinds has proven, one breach incident can cascade across the world with devastating effects. Unfortunately, these sorts of incidents involving third-party vendors, contractors, suppliers, service providers and the like have proven to be difficult to detect in advance, and impossible to prevent.”

In order for supply chain security to improve, it must happen at the security governance level, he said.

“Enterprises must demand cybersecurity due diligence as part of every business agreement with its third-party business partners,” Parizo said. “Those agreements should outline baseline cybersecurity best practices, detail specific measures taken to prevent compromises such as code reviews and data security measures, and spell out procedures and responsibilities in the event of a breach, including indemnity in some cases where applicable.”

Complex and Sophisticated

SolarWinds said it didn’t catch the vulnerability beforehand because “this attack was very complex and sophisticated.” Malicious hackers crafted the vulnerability to evade detection and only run when detection was unlikely.

Out of caution, SolarWinds communicated with all customers on active maintenance as of February 2020.

Brandon Hoffman is NetEnrich‘s CISO.

Hoffman-Brandon_NetEnrich.jpg

NetEnrich’s Brandon Hoffman

“Any customer of SolarWinds Orion potentially installed the code-signed update that included the malicious artifacts,” he said.

This method is incredibly effective, Hoffman said. That’s because the code is signed by a trusted provider and coming through their standard update engine.

The behavior of the malware in the SolarWinds cyberattack is extremely low and slow, he said. It waits for the right environment or time to perform any additional activity other than being present and listening.

“The reality is that this likely affected thousands of organizations worldwide,” Hoffman said.

Supply Chain Attack

Ray Kelly is principal security engineer at WhiteHat Security. He said the SolarWinds cyberattack is the “perfect example of a supply chain attack.”

Kelly-Ray_WhiteHat-Security.jpg

WhiteHat Security’s Ray Kelly

“It’s possible that the bad actors were able to gain access to either the SolarWinds source code repository or their build pipeline and insert the malicious code,” he said. “We know this because the component that contained the malware was code-signed with the appropriate SolarWinds certificate. This made the dynamic link library (DLL) look like a legitimate and safe component for their Orion product.”

Hackers didn’t have to breach thousands of targets, Kelly said. They only had to breach one target – SolarWinds – and let their distribution system deliver …

… the attack for them.

Matt Walmsley is Vectra AI‘s head of EMEA marketing.

“As organizations increasingly become hybrid cloud environments, we’ve seen attackers focus on privileged access and the use of legitimate tools for malicious actions,” he said. “For example, in a recent study of 4 million Microsoft 365 accounts, we identified that 96% of organizations exhibited lateral movement behaviors including multifactor authentication (MFA), and embedded security controls that are being bypassed. A threat actor can then, with a few clicks, reconfigure email rules, compromise SharePoint and OneDrive file stores, and set up persistent reconnaissance and exfiltration capabilities using built-in M365 tools such as eDiscovery and Power Automate.”

Opportunities for More Attacks

Opportunities for these type of attacks are massive and growing, Walmsley said.

Walmsley-Matt_Vectra-AI.jpg

Vectra AI’s Matt Walmsley

“It highlights the need for security teams to be able to tie together all host and account interactions as they move between cloud and on-premises environments in a consolidated view,” he said. “Security teams also need to drastically reduce the overall risk of a breach by gaining instant visibility and understanding of who and what is accessing data or changing configurations, regardless of how they are doing it, and from where.”

Hank Schless is Lookout‘s senior manager of security solutions.

“Cyber espionage campaigns can target both the public and private sector, as proven by this attack,” he said. “Adversarial nation-states have recognized the value in targeting both sectors, which means neither is safe from the types of attacks that have government resources behind them. Attackers will continue to get more creative with their campaigns as cybersecurity protections get more advanced.”

Infecting legitimate software updates can be an effective way to covertly inject malware into many organizations, Schless said.

Schless-Hank_Lookout.jpg

Lookout’s Hank Schless

“In order to avoid this type of attack, it’s key to have visibility into all internal and third-party software in your infrastructure,” he said. “Your host infrastructure, mobile devices and computers all represent potential access points for threat actors. You need to know where software vulnerabilities exist across your infrastructure.”

More High-Profile Attacks Expected

Lior Div is Cybereason‘s CEO. He said there likely will be more high-profile attacks targeting the U.S. government, cybersecurity providers and their customers.

All high-value targets should be on alert, he said. In addition, they should initiate threat hunting and compromise assessments.

“SolarWinds has a stellar reputation,” Div said. “It looks like their software was signed with a valid Symantec certificate on a normal SolarWinds Orion update. No hygiene in the world would prevent that. The only solution is a robust, behavioral, post-breach mindset. After a certain point, effective detection matters more.”

Read more about:

MSPsChannel Research

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like