When a product of the scale and size of SolarWinds Orion which is used within many governments, critical infrastructure, and fortune 1000 companies gets compromised it shakes the IT industry.
Who did it?
To start with as of now there is no clear understanding of who the actors were; however, it is sure that this attack was facilitated with a high level of sophistication; even the initial breach cannot be identified as being an employee’s device is compromised or whether it was through espionage via an internal bad-actor. We saw an example of this earlier in the year when a Tesla employee notified officials of being contacted and offered a 1 million USD bounty to compromise information on the development of the Tesla 3.
The initial date of the compromise was potentially as early as March this year; however, it seems as if the planning had been years in the making; the efforts these actors have made to obfuscate and evade detection is highly advanced normally seen with nation-state cyber warfare.
What was the target of the attack?
The target of the attack was SAML Token; if you are unaware of what SAML (Security Assertion Markup Language) is; it’s a way of minting security and then building up trust around that token; it takes high levels of approval to do this, people have a high level of privilege who run SolarWinds Orion who then builds these tokens and expiration dates so people can have access to other things s in this attack it extended to highly privileged accounts in Azure AD. In this case, means it’s not just a local network but also cloud workloads that build long-term access which is highly concerning.
What can we learn?
As of today virus total, Fireeye, Microsoft have all updated their signatures; in fact, Fireeye has a solid and detailed write-up (Fireeye sunburst threat research) as well the team at SolarWinds are on top of their own investigations.
Due to the sophistication of the attack, it’s very difficult to be able to define what TTP’s could have been improved to identify this early; however improved privileged access systems, isolating users and sophisticated anomaly detection is a way of preventing similar attacks – as they say, prevention is better than cure.
If you need help or would like further information get in contact with the team from Acensi Cyber [email protected] www.acensisec.com
Why was this so hard to detect?
In simplistic terms security platforms saw this known vulnerability of a trojan backdoor as trusted; why; because its digital signature had been approved by a known good supplier i.e. SolarWinds; this is why it’s defined as a supply chain attack – these are difficult attacks to defend as the code is closed sourced and we can only view the platforms behaviours.
What made this even more challenging was the native behaviour of the Orion platform which when deployed goes quiet for two weeks in a passive collecting mode, so any systems that typically recognise changes within the infrastructure wouldn’t alert systems as the attack was masquerading as a legitimate activity.
The attack additionally created multiple blocklists to identify forensic antivirus tools, services and drivers. We are also seeing this in advanced malware where they can determine when the networks are in researchers lab or on important networks negating sandbox defences.