Strategy, privacy, and risk

The Edge of a Storm?

The SolarWinds element of this breach is likely just the ‘tip of the iceberg’ as many more businesses leveraging their management tools are exposed to this compromise. Not necessarily from the nation state actor believed to have triggered it, but from the potential sell off of those points of access to criminal groups. In our investigation experience, broad compromises are often sold on the various dark web forums to organized crime groups who are more likely to target critical business assets looking for an opportunity to monetize the breach.

Rather than being motivated by politically sensitive information or posture, cybercriminal groups may seek to monetize these entry points with ransomware, sensitive data theft, or other denial of service attacks. These can result in extortion requests coming to CISOs and CFOs around the world who may not yet be aware of whether or not their organizations are affected.

It is highly likely that the SolarWinds entry points have been, or are in the process of being, sold off which could lead to a highly-charged storm of cyber-crime into 2021. To date, all the disclosures show the intrusion is very stealthy, leaving minimal other malware to evade detection. Now that the awareness level is high, this may lead to the next strike taking place in order to capitalize on the position they have or on access they have acquired on the black market. With SolarWinds customers tending to be large enterprise organizations these could be some of the most impactful data breaches of this decade.

The incident has been codenamed SUNBURST by the malware analysis community, and I’ve included a primer below to summarize, at a high level, what we know to date.

This is a quickly evolving situation. We will continue to monitor and investigate and update this blog as we learn more.

***

What we know

  • SolarWinds believes it suffered a system compromise that they are attributing to a nation state attack – no confirmation or evidence of nation state attribution has been presented in the community.
  • The SolarWinds Orion product update repository was compromised leading to malicious updates being provided to SolarWinds customers which allowed sophisticated malicious remote access to SolarWinds customer IT infrastructure.
  • This attack used very sophisticated techniques, posing as legitimate trusted software that would have been very challenging for even next-gen antivirus, intrusion detection and prevention products to have detected.
  • The malware provided remote access to intruders as well as some stealth data exfiltration capabilities.
  • Multiple reports indicate that the intrusions on record use ‘interactive’ manual techniques and appear to be deploying minimal other malware to further evade detection. This is analogous to remote reconnaissance.
  • Multiple reports indicate that the intrusion is tailored to the impacted entity. And as such the indicators of compromise (IOC) vary between disclosed breaches. However, the Initial Access IOC is consistently verifiable.

Technology Impact

  • Exposure – Potentially all technology monitored by SolarWinds Orion products in a compromised customer could have been accessed by an intruder.
  • Credentials stored by SolarWinds Orion products have been compromised.
  • Credentials used to access servers running SolarWinds Orion products are likely compromised.
  • Persistence may have been achieved by the intruder using other non-SUNBURST tools and techniques.

Next Steps

  • Determine the depth and breadth of the potential malicious access
    • Confirm whether you have the malicious SolarWinds Orion Update, and whether it was active.
    • Determine the potentially compromised accounts utilized by the intruder.
    • Trace the access from the SolarWinds entry points with the compromised credentials and inventory the accessed systems
    • Forensically acquire:
      • The inventory of systems potentially accessed by the intruder
      • The SolarWinds Orion System
      • Any other critical system component even if not identified (access control, core business applications) as an additional precaution
  • Contain
    • Develop an adaptive containment strategy, based on the depth and breadth of malicious access.
    • Evaluate and adjust the logging, monitoring and alerting systems.
    • Prepare to aggressively block command and control endpoints at least temporarily.
  • Eradicate
    • Prepare to have a dynamic eradication strategy that allows teams to pivot to potentially multiple layers of intrusion requiring different eradication techniques.

Publicly Available IOC Repositories

Sophos
https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv

FireEye
https://github.com/fireeye/sunburst_countermeasures/tree/main/indicator_release

Microsoft
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/