It has been several weeks since the Federal Government announced the massive breach utilizing software from SolarWinds. The hack stemmed from malware injected into government networks from a network and performance monitoring software. Soon thereafter, SolarWinds itself announced that up to 18,000 customers of its software platform had been impacted by software patches that were tainted by the alleged Russian hacker group behind the attack, CozyBear.
How Can One Hack Impact More Than 18,000 Organizations?
SolarWinds Orion is a software platform that relies on agent software being installed on servers, network devices, and other infrastructure to monitor and report on performance and other issues. This software is a valuable ally to system administrators tasked with doing more with less and preventing infrastructure failures.
Unfortunately, because of the nature of the software–requiring it to be installed on a high number of machines– a hack like this will provide access to countless devices across entire enterprises. As a result, it will be difficult to find and prevent hackers from exfiltrating (stealing) information from the networks.
Today, many organizations are trying to pick up the pieces, determine if they have “bad actors” in their networks, and figure out how to remediate the damages that this supply chain hack has done to their business.
What Guidance Has the Government Given?
The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency Directive 21-01 (https://cyber.dhs.gov/ed/21-01/) which hopes to help guide Federal agencies through mitigation strategies that include:
– Disconnecting or Powering Down SolarWinds Orion products (v2019.4-v2020.2.1).
– Blocking all traffic to and from the hosts where any version of SolarWinds Orion has been installed.
– Identifying and removing all threat-actor controlled accounts.
– Reporting incidents to CISA.
Where to Find Technical Descriptions of the Breach
FireEye, one of the global leaders in detecting and hunting cybercriminals and one of the many victims of the SolarWinds breach, has offered the following advice via their blog (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html):
– Check logs for SMB sessions that show access to legitimate directions and follow a delete-create-execute-delete-create pattern in a short amount of time.
– Look for single systems making connections using different accounts.
See the FireEye blog post for significantly more technical explanations of how the malware gets installed, what other malware is being deployed once a system is breached, and how to detect traffic patterns in your network that indicate you have been hacked.
What is the Full Scope of the Hack?
It is important to know that although the hackers used a malware package called “Sunburst”, once they are inside a network, the hackers will deploy multiple different malware tools to secure a foothold. This means that although you might clean up one area that you believed to have the infection, chances are there are other infections that need to be dealt with.
Even more nefarious, this hack most likely started in March / April 2020 as software patches from SolarWinds rolled out to their customers resulting in a 6 – 8 month head start on any remediation work.
This threat should be taken with all seriousness. It is important to ensure that if you use SolarWinds products that immediate action is taken to ascertain the impact on your business and begin remediation activities immediately.
What Can Be Done to Protect Impacted Businesses?
UNCOMN is here to help you and your company through this uncertainty. Email firstname.lastname@example.org to schedule a free cybersecurity review with our Cyber Response Team.
Want to learn more about keeping your mobile workforce cyber secure?
Another recent hack could be putting your business and customer data at risk. Learn more.