Solarwinds, an essential tool for monitoring and controlling the technological infrastructure of organizations has recently been hacked, affecting more than 18,000 SolarWinds customers around the world. The attack may have begun as early as Spring 2020 and is considered to be currently ongoing.
Due to the magnitude of the attack and the sheer amount of affected companies, it is yet unclear what information might have been stolen and even worse which companies have exactly been compromised without them knowing this is the case and having identified the breach and are thus still being exposed to future attacks.
US Intelligence, through a joint statement on January 5, 2021, including the FBI, NSA, CISA and ODNI, have publicly blamed Russia for the attack. However, SolarWinds and various Cybersecurity companies addressed the hack as having been the result of “nation-state actors” without apportioning full blame to any country directly.
As mentioned above, the SolarWinds security breach and its related cybersecurity attacks is extremely wide-ranging and comprehensive, affecting a great number of government agencies and private companies.
The US Justice Department took nine days after the original hack was detected to confirm that it had been compromised. The attack on the Justice Department utilized the organisation’s Microsoft Office 365 system and managed to gain access to roughly 3,000 email accounts, both in terms of received emails, as well as sent emails.
Microsoft has since moved to remove any malicious code that found its way into their system due to the SolarWinds hack and asserts that its customers have not been harmed.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries [i.e., code] in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others”, said corporate vice president of communications at Microsoft Frank Shaw.
Initially, SolarWinds had released a list of affected major clients on its own website, but it has since deleted the page and purged the list from its Google cache. Although this has not been confirmed, the speculation is that SolarWinds are trying to protect its customers from other hackers who are not aware that the companies originally listed are exposed to any attacks.
The Hack
Hackers managed to exploit a system that SolarWinds uses to pack and distribute their updates to its Orion product. From there, they inserted a malicious DLL file which was allowed to pass through any defense measures since it was hidden inside a legitimate update. By compromising signed libraries, the malicious file used the target companies’ own digital certificates as an attempt to evade application control technologies and pass the trojan undetected.
The certificate details with the signer hash are shown below:
Mitigation recommendations
SolarWinds has released an update patch and recommends updating the Orion Platform to the release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal, therefore, organizations should consider preserving impacted devices and implementing new systems using the latest versions.
Also, IT Departments should keep in mind that upgrading an impacted device could potentially overwrite any evidence useful for a forensics investigation or might leave any additional backdoors to the system. In addition, SolarWinds has released additional mitigation and hardening instructions at https://www.solarwinds.com/sa-overview/securityadvisory.
In the event that companies are unable to follow SolarWinds’ recommendations, the following instructions outline immediate mitigation techniques that could be deployed as first steps to address the risk of trojanized SolarWinds software in an environment. These instructions are directly provided by SolarWinds themselves:
“If attacker activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment.
- Ensure that SolarWinds servers are isolated / contained until a further review and investigation are conducted. This should include blocking all Internet egress from SolarWinds servers.
- If SolarWinds infrastructure is not isolated, consider taking the following steps:
- Restrict the scope of connectivity to endpoints from SolarWinds servers, especially those that would be considered Tier 0 / crown jewel assets
- Restrict the scope of accounts that have local administrator privileges on SolarWinds servers.
- Block Internet egress from servers or other endpoints with SolarWinds software.
- Consider (at a minimum) changing passwords for accounts that have access to SolarWinds servers / infrastructure. Based upon further review / investigation, additional remediation measures may be required.
- If SolarWinds is used to manage networking infrastructure, consider conducting a review of network device configurations for unexpected / unauthorized modifications. Note, this is a proactive measure due to the scope of SolarWinds functionality, not based on investigative findings.”
How Boltonshield can help
It is incredibly important to stress that the fallout from the SolarWinds hack has still yet to be properly defined in breadth and scope. There are many companies out there that may be unknowingly exposed without them operating with this potential danger in mind.
It is crucial for your organisation that it seeks out and consults a cybersecurity company with the requisite expertise, knowhow and technical means to audit your network and entire IT ecosystem for any indications of latent vulnerabilities.
While this may seem like an unnecessary cost and even a hindrance to short-term operational priorities, it will prove to be invaluable in the long term, both in terms of privacy and security, but also in terms of business viability.
You can get in touch with us to find out exactly how BoltonShield can help you by clicking here.
If you want to get updated about our recent publications about cybersecurity related topics, subscribe to our newsletter!