SolarWinds Cyberattack Likely Affected Thousands Worldwide

Written by Edward Gately
December 16, 2020

The hackers inserted malicious code into SolarWinds' Orion software updates.

… the attack for them.

Matt Walmsley is Vectra AI‘s head of EMEA marketing.

“As organizations increasingly become hybrid cloud environments, we’ve seen attackers focus on privileged access and the use of legitimate tools for malicious actions,” he said. “For example, in a recent study of 4 million Microsoft 365 accounts, we identified that 96% of organizations exhibited lateral movement behaviors including multifactor authentication (MFA), and embedded security controls that are being bypassed. A threat actor can then, with a few clicks, reconfigure email rules, compromise SharePoint and OneDrive file stores, and set up persistent reconnaissance and exfiltration capabilities using built-in M365 tools such as eDiscovery and Power Automate.”

Opportunities for More Attacks

Opportunities for these type of attacks are massive and growing, Walmsley said.

Vectra AI’s Matt Walmsley

“It highlights the need for security teams to be able to tie together all host and account interactions as they move between cloud and on-premises environments in a consolidated view,” he said. “Security teams also need to drastically reduce the overall risk of a breach by gaining instant visibility and understanding of who and what is accessing data or changing configurations, regardless of how they are doing it, and from where.”

Hank Schless is Lookout‘s senior manager of security solutions.

“Cyber espionage campaigns can target both the public and private sector, as proven by this attack,” he said. “Adversarial nation-states have recognized the value in targeting both sectors, which means neither is safe from the types of attacks that have government resources behind them. Attackers will continue to get more creative with their campaigns as cybersecurity protections get more advanced.”

Infecting legitimate software updates can be an effective way to covertly inject malware into many organizations, Schless said.

Lookout’s Hank Schless

“In order to avoid this type of attack, it’s key to have visibility into all internal and third-party software in your infrastructure,” he said. “Your host infrastructure, mobile devices and computers all represent potential access points for threat actors. You need to know where software vulnerabilities exist across your infrastructure.”

More High-Profile Attacks Expected

Lior Div is Cybereason‘s CEO. He said there likely will be more high-profile attacks targeting the U.S. government, cybersecurity providers and their customers.

All high-value targets should be on alert, he said. In addition, they should initiate threat hunting and compromise assessments.

“SolarWinds has a stellar reputation,” Div said. “It looks like their software was signed with a valid Symantec certificate on a normal SolarWinds Orion update. No hygiene in the world would prevent that. The only solution is a robust, behavioral, post-breach mindset. After a certain point, effective detection matters more.”