The Edge of a Storm?

Andrew Barratt, Managing Director, Europe

The SolarWinds element of this breach is likely just the ‘tip of the iceberg’ as many more businesses leveraging their management tools are exposed to this compromise. Not necessarily from the nation state actor believed to have triggered it, but from the potential sell off of those points of access to criminal groups. In our investigation experience, broad compromises are often sold on the various dark web forums to organized crime groups who are more likely to target critical business assets looking for an opportunity to monetize the breach.

Rather than being motivated by politically sensitive information or posture, cybercriminal groups may seek to monetize these entry points with ransomware, sensitive data theft, or other denial of service attacks. These can result in extortion requests coming to CISOs and CFOs around the world who may not yet be aware of whether or not their organizations are affected.

It is highly likely that the SolarWinds entry points have been, or are in the process of being, sold off which could lead to a highly-charged storm of cyber-crime into 2021. To date, all the disclosures show the intrusion is very stealthy, leaving minimal other malware to evade detection. Now that the awareness level is high, this may lead to the next strike taking place in order to capitalize on the position they have or on access they have acquired on the black market. With SolarWinds customers tending to be large enterprise organizations these could be some of the most impactful data breaches of this decade.

The incident has been codenamed SUNBURST by the malware analysis community, and I’ve included a primer below to summarize, at a high level, what we know to date.

This is a quickly evolving situation. We will continue to monitor and investigate and update this blog as we learn more.

***

What we know

  • SolarWinds believes it suffered a system compromise that they are attributing to a nation state attack – no confirmation or evidence of nation state attribution has been presented in the community.
  • The SolarWinds Orion product update repository was compromised leading to malicious updates being provided to SolarWinds customers which allowed sophisticated malicious remote access to SolarWinds customer IT infrastructure.
  • This attack used very sophisticated techniques, posing as legitimate trusted software that would have been very challenging for even next-gen antivirus, intrusion detection and prevention products to have detected.
  • The malware provided remote access to intruders as well as some stealth data exfiltration capabilities.
  • Multiple reports indicate that the intrusions on record use ‘interactive’ manual techniques and appear to be deploying minimal other malware to further evade detection. This is analogous to remote reconnaissance.
  • Multiple reports indicate that the intrusion is tailored to the impacted entity. And as such the indicators of compromise (IOC) vary between disclosed breaches. However, the Initial Access IOC is consistently verifiable.

Technology Impact

  • Exposure – Potentially all technology monitored by SolarWinds Orion products in a compromised customer could have been accessed by an intruder.
  • Credentials stored by SolarWinds Orion products have been compromised.
  • Credentials used to access servers running SolarWinds Orion products are likely compromised.
  • Persistence may have been achieved by the intruder using other non-SUNBURST tools and techniques.

Next Steps

  • Determine the depth and breadth of the potential malicious access
    • Confirm whether you have the malicious SolarWinds Orion Update, and whether it was active.
    • Determine the potentially compromised accounts utilized by the intruder.
    • Trace the access from the SolarWinds entry points with the compromised credentials and inventory the accessed systems
    • Forensically acquire:
      • The inventory of systems potentially accessed by the intruder
      • The SolarWinds Orion System
      • Any other critical system component even if not identified (access control, core business applications) as an additional precaution
  • Contain
    • Develop an adaptive containment strategy, based on the depth and breadth of malicious access.
    • Evaluate and adjust the logging, monitoring and alerting systems.
    • Prepare to aggressively block command and control endpoints at least temporarily.
  • Eradicate
    • Prepare to have a dynamic eradication strategy that allows teams to pivot to potentially multiple layers of intrusion requiring different eradication techniques.

Publicly Available IOC Repositories

Sophos
https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv

FireEye
https://github.com/fireeye/sunburst_countermeasures/tree/main/indicator_release

Microsoft
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Andrew Barratt

Author

Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics

Archives

Tags

Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS
Top