Does Sunburst Have Your Confidential Emails and Database Data?
By Randy Reiter CEO of Don’t Be Breached
So far three malware strains have been identified in the SolarWinds supply chain attack. They are the SUNBURST, SUPERNOVA, and TEARDROP malware strains.
Russian hackers used the malware to potentially gain access to 18,000 government and private networks via the Solarwinds Orion network management product. Initially, it was believed that only a few dozen of the networks were gained access to by the hackers. Further investigative work by security firms, Amazon, and Microsoft now point to 250 federal agencies and large corporations the hackers may have gained access to.
These malware strains went undetected for nine months. The malware was present as a Trojan horse in Solarwinds software updates from March through June 2020. It is quite shocking that government and private sector networks were so vulnerable, and did not detect the malware over a nine-month period until December 2020.
The Commerce Department, Energy Department, Homeland Security Department, National Security Administration, State Department, Treasury Department, National Institute of Health, parts of the Pentagon were government targets of the hacker data breach. In the private sector Cisco, Intel, Microsoft, VMWare, and others have stated they were impacted by the breach. The DOJ stated that hackers accessed its Microsoft Office 365 email server.
In some of the attacks, the hackers used the administrator privileges granted to SolarWinds product with Microsoft´s Azure cloud platform that stores customer data to gain additional access to confidential emails and documents.
Also, email service provider Mimecast reported that Russian hackers were able to obtain a Mimecast digital certificate to access its customer’s Microsoft 365 office services. The techniques and tools used by the hackers were similar to what the Solarwinds hackers used. Mimecast was a user of the Solarwinds Orion product. They no longer use the Solarwinds product.
This data breach has been described as the IT security equivalent of Pearl Harbor. The extent of the confidential email and database data stolen from Government Agencies and American Fortune 500 companies may never fully be known.
How to Stop the Theft of Confidential Database Data and Emails?
Confidential database data includes email correspondence (and documents), credit card, tax ID, medical, social media, corporate, manufacturing, law enforcement, defense, homeland security, and public utility data. This data is almost always stored in DB2, Informix, MariaDB, MySQL, Oracle, PostgreSQL, SAP ASE and SQL Server databases. Once inside the security perimeter (e.g. via a Zero Day attack) a hacker or rogue insider can use commonly installed database utilities to steal confidential database data.
Non-intrusive network sniffing technology can capture and analyze the normal database query and SQL activity from a network tap or proxy server with no impact on the database server. This SQL activity is very predictable. Database servers servicing 10,000 end-users typically process daily 2,000 to 10,000 unique query or SQL commands that run millions of times a day. Logging into the monitored networks, servers, and databases is NOT required for data breach prevention.
Advanced SQL Behavioral Analysis of Database Query and SQL Activity Prevents Data Breaches
Advanced SQL Behavioral Analysis of the database SQL activity can learn what the normal database activity is. Then from a network tap or proxy server the database query and SQL activity can be non-intrusively monitored in real-time and non-normal SQL activity immediately identified. These approaches are inexpensive to setup. Now non-normal database SQL activity from hackers or rogue insiders can be detected in a few milliseconds. The hacker or rogue insider database session can be immediately terminated and the Security Team notified so that confidential database data is not stolen by nation-state hackers, ransomed, or sold on the Dark Web.
Advanced SQL Behavioral Analysis of the query activity can go even further and learn the maximum amount of data queried plus the IP addresses all queries were submitted from for each of the 2,000 to 10,000 unique SQL queries sent to a database. This type of data breach protection can detect never before observed query activity, queries sent from a never observed IP address and queries sending more data to an IP address than the query has ever sent before. This allows real-time detection of hackers and rogue Insiders attempting to steal confidential database data. Once detected the security team can be notified within a few milliseconds so that an embarrassing and costly Data Breach is prevented.
About the Author
Randy Reiter is the CEO of Don’t Be Breached a Sql Power Tools company. He is the architect of the Database Cyber Security Guard product, a database Data Breach prevention product for Informix, MariaDB, Microsoft SQL Server, MySQL, Oracle and SAP Sybase databases. He has a Master’s Degree in Computer Science and has worked extensively over the past 25 years with real-time network sniffing and database security. Randy can be reached online at rreiter@DontBeBreached.com, www.DontBeBreached.com and www.SqlPower.com/Cyber-Attacks.