Anatomy of a hack – Solar Winds Orion – Cyber Defense Magazine
Nation State hacks major IS Software vender
by James Gorman, CISO, Authx
What happened when one of the leading IT support venders in the world, leading government agencies the world over and up 18,000-33,000[1] companies running the affected version (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1)[2] of SolarWinds Orion software.
Here’s what happened:
- The threat actor – indicated to be a nation state in Microsoft’s Threat Intelligence Center’s release[3] – was able to compromise the update process for Solar Winds and imbed a trojan horse that allowed the attacker to gain administrative access to the network.
- Using the acquired administrative access the intruder used a lateral attack to gain access to the certificate signing credentials of the organization. This allows the attacker to generate “real-looking” credentials to continue to move throughout the organization.
- Using the now trusted yet hacked credentials, the attacker then takes stock of what else they have access to in the organization, on-premise and cloud based. This is because they have access to seemingly valid credentials and are not flagging most alerts looking for unusual login failures.
- Once the attacker has access to a Global Administrator’s account or its trusted certificate, they use that to impersonate the admin, they essentially have the keys to the kingdom and can create new global admins, add them to existing services and or create new services and then go after API access to the organization.
What has been reported is that once this particular hacker gets access to the global administrator they keep the malicious programs – Malware – to a minimum and used remote access to move through the enterprises and take over code repositories, trade secrets, MS Office 360, Azure Active Directory, essentially every system that relies on federated access and authentication. The list keeps growing of who was hacked and it is a veritable who’s who of what a Nation State actor would want – US State Department, Pentagon, Department of Homeland Security, National institute of Health and others, as well as many private firms[4]. While many of the known targets are the “big guys” if you use Solar Winds Orion assume you are compromised.
If you use Solar winds Orion assume you are compromised, take it off line, upgrade and contact SolarWinds. https://www.solarwinds.com/securityadvisory
If you are a CISO or security professional, you should know that in this hack you could do everything right and still have been vulnerable. You could have anti-malware tools running, login restrictions on sensitive systems, monitoring of the failures, all the things you would do in a traditional defense in depth environment. Because you trusted your supply chain and one of the largest and most trusted names in network monitoring and management was breached and you are now vulnerable and probably compromised.
You could have done everything right and still been compromised! This is the lesson to learn here all you can do is mitigate and minimize the damage done. Some hackers are very, very good and your security is only as good as your weakest link in your supply chain. It could be one of your largest and most trusted IT suppliers that are the avenue of attack. You have to trust and verify everyone.
So what is a person to do if they are or are not compromised? There are some things that had they been in place cold have mitigated or limited the damage due to the internal spread of this particular hack. We still do not know how the development/release system at SolarWinds was compromised – I for one am looking forward to seeing how that happened.
What to do now that we know what we know –
- Update your software frequently – this is still the best way to keep known vulnerabilities at bay. Don’t let this supply chain hack scare you into not keeping your systems up to date. It is one of the most basic principals in Cybersecurity – path your systems
- Use updated antivirus systems that are quickly updated to mitigate this attack.
- Monitor your network and systems for anomalous behavior – Look for multiple power shell access to Active Directory from the same machine. Especially privileged sign ins.[5]
- Look for adds to your federated services, use best practices for securing your AD FS services.[6]
- Use whitelists for access to your sensitive network segments – block outbound traffic except what is needed for vital business processes on your trust segments. This blocks the trojans access to its home Command and Control (C2) servers where the hackers then get access to your environment.
- Use hardware based tokens (HSMs) for SAML signatures.
- Alert and verify as authorized new access credentials on OAuth applications and
- Reduce attack surface by removing applications and service principals that are not needed on your systems. Make sure you are logging the service principal access and look for anomalies.
- Use multifactor authentication with Biometric factors for all log ins.
Authx https://authx.com is a prime example of how to verify who actually has access to your systems. It is a multifactor authentication mechanism that uses biometrics – face, finger, palm or one-time pad to give additional validity to the user access experience. Authx or another would have limited the ability for lateral movement and the persistence of this or most imposter credential attacks.
About the Author
James Gorman CISO, Authx
James is a solutions-driven, results-focused technologist and entrepreneur with experience securing, designing, building, deploying and maintaining large-scale, mission-critical applications and networks. Over the last 15 years he has lead teams through multiple NIST, ISO, PCI, and HITRUST compliance audits. As a consultant, he has helped multiple companies formulate their strategy for compliance and infrastructure scalability. His previous leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations, Founder & Principal Consultant, Vice President and CEO at companies such as GE, Epoch Internet, NETtel, Cable and Wireless, SecureNet, and Transaction Network Services.
James can be reached online at james@authx.com and at LinkedIn at https://www.linkedin.com/in/jamesgorman/ and at our company website https://authx.com
[1] https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm
[2] https://www.solarwinds.com/securityadvisory
[3] https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
[4] https://news.yahoo.com/solarwinds-orion-more-us-government-131005599.html
[5] https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins
[6] https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs