SolarWinds Under Siege
SolarWinds disclosed Sunday that it experienced a highly sophisticated, manual supply chain attack on versions of its Orion network monitoring product released between March and June of this year. The company said it’s been told the attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, though no specific country was named.
A FireEye blog post states that hackers gained access to numerous public and private organisations through trojanized updates to SolarWinds’ Orion software, but didn’t disclose the identity of any of the victims. Media reports have attributed attacks on the US Treasury and Commerce Departments as well as FireEye to a vulnerability in the Orion products, but SolarWinds said Monday it’s still investigating.
The colossal SolarWinds breach is sending shockwaves through Capitol Hill and Fortune 500 corner offices alike given the high-profile nature of the reported victims and the presumed involvement of Russian intelligence services. From how the hackers evaded detection to why federal agencies must power down Orion to its impact on the SolarWinds MSP business, here are the big things to know about the SolarWinds hack.
10. Hack comes months after zero-day exploit of RMM tool
This isn’t the first time that SolarWinds’ technology has been open to exploitation. A zero-day vulnerability in SolarWinds MSP’s remote monitoring and management (RMM) tool n-Central announced in January 2020 allowed security researchers to steal the administrative credentials of an account holder, security vendor Huntress said at the time.
The flaw was reported in October 2019 and remained open for more than three months, according to Huntress. SolarWinds said at the time that the exploit was never used by malicious actors to compromise any partner accounts, and deployed hotfixes for the flaw in January 2020. It also released a mitigation tool that could be used in the event the hotfix couldn’t be applied.
SolarWinds told CRN at the time that the researcher reported the flaw to the company in October but there was no proof of concept. Following its internal protocol, the company monitored the findings and began working on a patch in late January when a proof of concept was disclosed.
9. SolarWinds breach doesn’t impact company’s MSP business
While hackers over the past two years have taken advantage of the tools MSPs rely on to manage customer IT systems, the tools utilized in this breach do not appear to be linked to SolarWinds’ MSP business. The Orion platform supports SolarWinds’ longtime IT infrastructure management business and doesn’t appear to be connected to the SolarWinds MSP business built via acquisitions in recent years.
SolarWinds MSP said it isn’t aware of any impact to its remote monitoring and management (RMM), N-Central and associated products from the attack on Orion, President John Pagliuca said in a security advisory posted Sunday evening. Pagliuca would take over as SolarWinds MSP CEO if the proposed spin-off of the business into a standalone company that has been under consideration for months happens.
Just four days before news of this colossal hack went public, SolarWinds named Pulse Secure’s Sudhakar Ramakrishna as its next CEO. During his five years leading Pulse Secure, Ramakrishna had to deal with hackers exploiting a widely known flaw in the company’s VPN appliance to carry out ransomware attacks many months after a patch had already been rolled out.
8. Russian Intelligence Service accused of orchestrating campaign
The Washington Post reported Sunday that the hackers with the Russian intelligence service—known as APT29—who attacked FireEye also compromised the Treasury and Commerce departments as well as other US government agencies. The breaches have been taking place for months and may amount to an operation as significant as the State Department and White House hacks during the Obama years.
The hack was considered so serious it led to a National Security Council meeting at the White House on Saturday, according to Reuters. APT29 also compromised the Democratic National Committee servers in 2015 but didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, the The Post said.
The Washington Post said that APT29 hacks for traditional espionage purposes, stealing secrets that can be useful for the Kremlin to understand the plans and motives of politicians and policymakers. Group members have stolen industrial secrets, hacked foreign ministries and, more recently, have attempted to steal coronavirus vaccine research, according to The Post.
7. Russia Denies that it is behind the hacks
In a statement posted to Facebook late Sunday, the Russian foreign ministry described the allegations as another unfounded attempt by the US media to blame Russia for cyberattacks against US agencies.
“Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian embassy to the US wrote on Facebook. “Russia does not conduct offensive operations in the cyber domain.”
Russia claims that it promotes bilateral and multilateral cyber security agreements, pointing to the Sept. 25 initiative put forward by President Vladimir Putin that aims to restore Russian-US cooperation in the field of international information security. Russia said it’s received no reply from Washington to its Sept. 25 proposal, and that many other suggestions to start dialogue with the US remain unanswered.
6. SolarWinds’ tentacles reach deep into the US Government
The diversity of SolarWinds’ customer base has sparked concern within the US intelligence community that other government agencies could be at risk, Reuters reported Sunday. SolarWinds’ stock plunged US$3.48 (14.77 percent) in trading Monday morning to US$20.08 per share, which is the lowest the company’s stock has traded since Oct. 2.
SolarWinds said on its website that its technology is used by the Pentagon, all five branches of the US military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States. SolarWinds said its technology is also used by hundreds of colleges and universities worldwide.
In the private sector, SolarWinds counts all five of the top US accounting firms, all 10 of the top 10 US telecommunications companies, and more than 425 of the US Fortune 500 among its base of clients. All told, SolarWinds said its products and services are used by more than 300,000 customers worldwide.
5. Hackers exploited legitimate software updates for remote access
Attacks conducted as part of the campaign exploiting SolarWinds’ Orion network monitoring product share several common elements, according to FireEye CEO Kevin Mandia. First, Mandia said the attacks insert malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment.
In addition, Mandia said the hackers went to significant lengths to observe and blend into normal network activity and maintained a light malware footprint to help avoid detection. Finally, Mandia said the adversaries patiently conducted reconnaissance, consistently covered their tracks, and used difficult-to-attribute tools.
Nation-state hackers gained access to government, consulting, technology and telecom firms around the world through trojanized updates to Orion, FireEye threat researchers wrote in a blog post. Post compromise activity following the compromise has included lateral movement and data theft, according to the threat researchers
4. Hackers went out of way to disguise ops, Remain Hidden
The malware inserted into SolarWinds Orion masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity, according to FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, they said.
Hostnames were set by the hackers on their command and control infrastructure to match a legitimate hostname found within the victim’s environment, allowing the adversary to blend into the environment, avoid suspicion, and evade detection, FireEye said. The attacker’s choice of IP addresses was also optimized to evade detection, using only IP addresses originating from the same country as the victim.
Once the attacker gained access to the network with compromised credentials, they moved laterally using credentials that were always different from those used for remote access, the threat researchers said. And once legitimate remote access was achieved, FireEye found that the hackers routinely removed their tools, including removing backdoors.
3. Hackers forged tokens to impersonate privileged accounts
The hackers used administrative permissions acquired through on-premises compromise of SolarWinds Orion to access a victim’s trusted SAML token-signing certificate, said John Lambert, distinguished engineer in Microsoft’s Threat Intelligence Center. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.
A compromised token-signing certificate can be used against any on-premises resources (regardless of identity system or vendor) as well as against any cloud environment (regardless of vendor) because they have been configured to trust the certificate, Lambert wrote in a blog posted Sunday. Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the victim.
Using highly privileged accounts acquired through this technique, Lambert said attackers may add their own credentials to existing application service principals, enabling them to call APIs with the permission assigned to that application.
2. Orion vulnerability might affect nearly 18K customers
SolarWinds communicated Sunday with the approximately 33,000 Orion product customers that were active maintenance customers since March, and believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000, according to a filing with the US Securities and Exchange Commission (SEC) Monday morning.
For the nine months ended September 30, 2020, total revenue from the Orion products across all customers, including those with a vulnerability, was approximately US$343 million, or approximately 45 percent of total revenue. SolarWinds is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited in the reported attacks against US government agencies.
SolarWinds is aware of an attack vector that was used to compromise the company’s Microsoft Office 365 emails that may have provided access to other data contained in the company’s office productivity tools. SolarWinds said it’s investigating with Microsoft if any customer, personnel or other data was exfiltrated as a result of this compromise, but hasn’t uncovered any evidence at this time of exfiltration.
1. US calls on Federal Agencies to power down SolarWinds Orion
The US government late Sunday night called on all federal civilian agencies to power down SolarWinds Orion products immediately because they are being used as part of an active security exploit. The directive instructs the all agencies operating SolarWinds products to report that they have completed the shutdown by 12 p.m. USET Monday.
The directive from the Cybersecurity and Infrastructure Security Agency (CISA) comes “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors.” Specifically, the directive “calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales in the directive. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”