How did the hacker gain access to Orion?
The malicious actor seems to have been following a certain process in this series of supply chain hacks, which goes something like this:
- First, the hacker succeeds in compromising the update process for SolarWinds. They then embed a Trojan Horse to gain administrative access to the network.
- After acquiring administrative access, the intruder uses a lateral attack to access the organization’s certificate signing-credentials. The attacker can now generate seemingly authentic credentials.
- These apparently valid credentials prevent most alerts that would normally flag unusual login failures. The attacker has the opportunity to take stock of what else they can access in the organization, including both on-premises and cloud-based materials.
- Once the attacker has access to a global administrator’s account or its trusted certificate, they can use these tools to impersonate the admin. This ability is powerful; the attacker now essentially holds the keys to the kingdom. With this access, the hacker can create new global admins and add them to existing services. They can even develop new services and pursue API access to the organization.
Now imagine this process happening to thousands of SolarWinds customers – including some extremely powerful organizations and government agencies. According to reports, once this particular hacker has gained access to the global administrator of a company, they usually keep the malicious programs (or malware) to a minimum. Instead, they tend to use remote access to move through the enterprises and take over code repositories, trade secrets, MS Office 360, Azure Active Directory, etc. In other words – they conquer essentially every system that relies on federated access and authentication.
Who’s affected? Am I?
What can security professionals take away from this nightmare?
The lesson from these high-profile attacks is that you can do everything right and still be compromised. You can have anti-malware tools running, login restrictions on sensitive systems, failure monitoring – all the things you would do in a traditional in-depth defense environment. But because a) you trusted your supply chain and b) one of the largest and most trusted names in network monitoring and management happened to be breached, your organization is now vulnerable.
At this point, all you can do is mitigate and minimize the damage done. Some hackers are extremely good and your security is only as effective as the weakest link in your supply chain. These cyber-attacks prove that even one of your largest and most trusted IT suppliers could be the reason that your firm is compromised. To prevent this risk in the future, you need to trust and verify each element of your security supply chain.
Best cybersecurity practices
- Update your software frequently. This is still the best way to keep known vulnerabilities at bay. Don’t let this supply chain hack scare you into not keeping your systems up to date. Follow one of the most basic principles in cybersecurity, which is: “patch your systems.”
- Use antivirus systems that update quickly to mitigate this type of attack.
- Monitor your network and systems for anomalous behavior. Look for multiple power shell access to Active Directory from the same machine – especially privileged sign ins.
- Look for adds to your federated services. Use best practices for securing your AD FS services.
- Use whitelists for access to your sensitive network segments. Block outbound traffic, except for what is needed for vital business processes on your trust segments. This blocks the Trojans’ access to its home Command and Control (C2) servers where the hackers then get access to your environment.
- Use hardware-based tokens (HSMs) for SAML signatures.
- Alert and verify as authorized new access credentials on OAuth applications.
- Reduce attack surface by removing applications and service principals that are not needed on your systems. Make sure you are logging the service principal access and look for anomalies.
- Use multi-factor authentication with biometric factors for all logins.