SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management, along with several different types of analysing tools.
The SolarWinds Hack, also known as Solorigate and Sunburst, has been considered by some as the largest and most sophisticated cyberattack so far. The attackers exploited business software firm SolarWinds’ Orion product to send malware to about 18,000 customers. This type of attack is commonly known as supply chain, value-chain or third-party cyberattacks.
FireEye (tracking code UNC2452) detected this activity at multiple entities worldwide. The victims include government, consulting, technology, telecom and other organisations in North America, Europe, Asia and the Middle East. They anticipate there are additional victims in other countries and verticals.
What exactly happened?
According to SolarWinds, the Sunburst attack exploited a vulnerability within their Orion Platform software builds for versions 2019.4 HF 5, 2020.2 unpatched and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion Platform products run. The Sunburst attack disrupts a standard process, resulting in a compromised system that can be manipulated to attack subsequent users of the software.
Based on their investigations, it appears that the code was intended for targeted attacks as its exploitation requires manual intervention.
The Sunburst backdoor attack was followed by the Supernova malware, which consisted of two components. The first was a malicious, unsigned webshell.dll ‘app_web_logoimagehandler.ashx.b6031896.dll’, specifically written to be used on the Orion Platform. The second is the exploitation of a vulnerability in the Orion Platform to enable deployment of the malicious code.
It was also alleged by ThreatPost that malicious code added to an Orion software update may have gone undetected by antivirus software and other security tools on host systems - thanks in part to guidance from SolarWinds itself. In a support advisory, SolarWinds has advised its products may not work properly unless their file directories are exempted from antivirus scans and group policy object restrictions.
SolarWinds has not verified the identity of the attacker. Based on ongoing investigations, SolarWinds believe that the Sunburst vulnerability was inserted within the Orion Platform products and existed in updates released between March and June 2020 as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion Platform products. SolarWinds states that latest updates were designed to remedy this vulnerability in all supported versions of the Orion Platform.
Key learning announced by the victims
According to Microsoft, its key learning from the Solorigate is: embracing a zero trust mindset and protecting privileged credentials. SolarWinds President and CEO, Sudhakar Ramakrishna, in a recent talk conveyed the steps SolarWinds is taking for safer SolarWinds and customer community, with a promise to: ‘Further secure our internal environment, enhance our product development environment, ensure the security and integrity of our software.’
Alex Stamos, who leads the security team at SolarWinds, details what you can learn from the attack: ‘Learn to audit your cloud trust relationships. Learn to build for code integrity. Learn to centralise your monitoring to accelerate detection and speed response. Learn to document network dependencies to better control access. Learn to enhance permission rules and risk-based authentication.’
Bridging the gaps in enterprise information security management and compliance
Anyone who reads the aforementioned key learnings may wonder, ‘Didn’t we know about these already?’ It is well documented and discussed that the weakest link in enterprise security might lie with partners and suppliers in the supply chain. Global enterprises such as SolarWinds naturally attract sophisticated and well-funded actors that are capable of advanced techniques and patience and who are able to operate below the radar (aka advanced persistent threats), as it will be a huge return on their resources invested.
The SolarWinds hack has proven again that despite existing security strategies, many enterprises are struggling to cover the whole security ecosystem of the enterprise. So, what are the gaps in today’s enterprise security ecosystems and approaches that governing bodies and policy makers could fill in?
Should security be a responsibility of just the enterprise? Is it time to bring in international compulsory protocols on product development, architectural design, situational awareness and agility of response to threats?