SolarWinds is one of the biggest names in IT support – and now one of the most notorious. The leading information security vendor provides a variety of solutions to government agencies and private firms across the world.
And within the past few weeks, they revealed that somewhere between 18,000 and 33,000 of those customers have been running a breached version of SolarWinds Orion software (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1). The cyber attacker is likely a nation-state, as indicated in Microsoft’s Threat Intelligence Center’s release.
The details of how the hacker managed to break into the system at such a large scale remain fuzzy. However, this series of attacks serves as a reminder to all of us security professionals to implement cybersecurity best practices and multi-factor authentication strategies.
How did the hacker gain access to SolarWinds Orion?
The malicious actor seems to have been following a certain process in this series of supply chain hacks, which goes something like this:
- First, the hacker succeeds in compromising the update process for SolarWinds. They then embed a Trojan Horse to gain administrative access to the network.
- After acquiring administrative access, the intruder uses a lateral attack to access the organization’s certificate signing-credentials. The attacker can now generate seemingly authentic credentials.
- These apparently valid credentials prevent most alerts that would normally flag unusual login failures. The attacker has the opportunity to take stock of what else they can access in the organization, including both on-premises and cloud-based materials.
- Once the attacker has access to a global administrator’s account or its trusted certificate, they can use these tools to impersonate the admin. This ability is powerful; the attacker now essentially holds the keys to the kingdom. With this access, the hacker can create new global admins and add them to existing services. They can even develop new services and pursue API access to the organization.
Now imagine this process happening to thousands of SolarWinds customers – including some extremely powerful organizations and government agencies. According to reports, once this particular hacker has gained access to the global administrator of a company, they usually keep the malicious programs (or malware) to a minimum. Instead, they tend to use remote access to move through the enterprises and take over code repositories, trade secrets, MS Office 360, Azure Active Directory, etc. In other words – they conquer essentially every system that relies on federated access and authentication.
Who’s affected? Am I?
The list of organizations hacked by this attacker keeps growing. It includes many predictable targets for a nation-state actor – such as the US State Department, Pentagon, Department of Homeland Security, National Institute of Health, as well as many private firms. While many of the known targets are the “big guys”, it’s safe to assume that if you use SolarWinds Orion, your organization’s information may be compromised.
If you fall into that category, the wisest course of action is to proceed as if you have been hacked. Take Orion offline, upgrade and contact SolarWinds.
You can reach them at: https://www.solarwinds.com/securityadvisory.
What can security professionals take away from this nightmare?
The lesson from these high-profile attacks is that you can do everything right and still be compromised. You can have anti-malware tools running, login restrictions on sensitive systems, failure monitoring – all the things you would do in a traditional in-depth defense environment. But because a) you trusted your supply chain and b) one of the largest and most trusted names in network monitoring and management happened to be breached, your organization is now vulnerable.
At this point, all you can do is mitigate and minimize the damage done. Some hackers are extremely good and your security is only as effective as the weakest link in your supply chain. These cyber-attacks prove that even one of your largest and most trusted IT suppliers could be the reason that your firm is compromised. To prevent this risk in the future, you need to trust and verify each element of your security supply chain.
Best cybersecurity practices moving forward
While we still do not know how the SolarWinds development/release system was compromised – I for one am fascinated to learn exactly how it happened – we can still learn from the incident and take measures to prevent similar breaches. If SolarWinds had certain practices in place, they could have limited the damage from the internal spread of this particular hack.
Some recommendations for these best practices include:
- Update your software frequently. This is still the best way to keep known vulnerabilities at bay. Don’t let this supply chain hack scare you into not keeping your systems up to date. Follow one of the most basic principles in cybersecurity, which is: “patch your systems.”
- Use antivirus systems that update quickly to mitigate this type of attack.
- Monitor your network and systems for anomalous behavior. Look for multiple power shell access to Active Directory from the same machine – especially privileged sign ins.
- Look for adds to your federated services. Use best practices for securing your AD FS services.
- Use whitelists for access to your sensitive network segments. Block outbound traffic, except for what is needed for vital business processes on your trust segments. This blocks the Trojans’ access to its home Command and Control (C2) servers where the hackers then get access to your environment.
- Use hardware-based tokens (HSMs) for SAML signatures.
- Alert and verify as authorized new access credentials on OAuth applications.
- Reduce attack surface by removing applications and service principals that are not needed on your systems. Make sure you are logging the service principal access and look for anomalies.
- Use multi-factor authentication with biometric factors for all logins.
Secure your system with biometric multi-factor authentication
These days, it’s impossible to be too careful when it comes to cybersecurity. If you want to start to secure your organization organization against this type of attack now, one avenue to explore is biometric authentication options.
AuthX, a multi-factor authentication platform with biometric solutions, offers a prime example of identification verification methods. The software uses biometrics including face, finger, palm or one-time pad to give additional validity to the user identity access experience. This type of additional security lets you control who actually has access to your systems.
Combined with best practices described above, AuthX offerings would have limited the ability for lateral movement and the persistence in the SolarWinds imposter credential attacks. The same goes for most other false credential attacks that could come your way.
To begin protecting your organization today, visit http://188.8.131.52 for more information.