- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
An attacker compromised
the SolarWinds Orion Platform IT surveillance solution, which often has access
to a company's most sensitive secrets. While the current situation is
evolving and requires further evaluation, the scale of this attack has global
implications and companies affected must act immediately.
Note: This is a current snapshot. Because
of this, some information in this post can be adapted to reflect new findings
about the attacker's campaign.
Attack on The Supply Chain with Several High Profile Victims
Public
reporting revealed details of a global campaign by a highly capable attacker,
currently known as “UNC2452”, which compromises widely used network management
software as part of a supply chain attack against several high-level victims. The
affected software is the SolarWinds Orion Platform. The attack inserted a
malicious backdoor known as “SUNBURST” into one of the application's libraries,
allowing the attacker to gain access to the affected system.
The
SolarWinds 8-K SEC report shows that the malicious code was inserted as part of
the compile process and the source code was not directly affected. The
update looks legitimate to the victims as it was installed as part of an
official update and signed with a legitimate SolarWinds certificate.
Recent reports
indicate that the malicious updates have been delivered to SolarWinds customers
since March 2020 and lasted through June 2020. Analysis by Microsoft shows
that there are non-malicious anomalies in some previous updates that may
indicate that an attacker had access to the compile process, which dates back
at least October 2019.
The Existence of The Malicious Update Does Not Indicate
Active Exploitation
In the SEC report, SolarWinds
suggests that more than 17,000 companies may have received an update that
contains the malicious code. However, the fact that the malicious update
is present does not indicate that a company was actually compromised by the
attacker. Since it was a supply chain compromise, the threat actor had no
control over which SolarWinds customers downloaded the update; therefore,
the number of actively exploited companies is likely to be fewer than the total number of those who received the malicious update.
The first
actively exploited victims reportedly included several US government
organizations and US cybersecurity company FireEye. Microsoft has since reported that more
than 40 companies in 8 countries have been actively affected by this attack. These
include the United States, Canada, Mexico, Israel, the United Arab Emirates,
Belgium, Spain, and the United Kingdom.
As of this
writing, the companies reported as actively compromised are those operating at
the government level or in association with government agencies. It is
expected that these companies will attract the attention of attackers like
UNC2452 because they have a high level of expertise and resources for their
purposes. By compromising the supply chain, additional targets are
possible, but it is unlikely that they were directly targeted by the attackers
when the attack began.
From the “backdoor” to Full Control
The backdoor has reportedly been inactive for up to two weeks after installation
before running a series of “checks” to prevent the backdoor from being used
while security tools are in place or the affected device is on the SolarWinds
network. Some exams leave the backdoor inactive until they pass, while
others make an automatic attempt to dry up the security tools before rerunning
the exams to see if it passed.
If all
checks are passed, the backdoor attempts to communicate with a specific command
and control server (C2), which combines a hash of information from the host
with three other static components compiled from the backdoor's code. The
C2 channel enables the attacker to issue a series of commands to penetrate
further into the victim's network.
Reports
indicate that once the attacker has gained full control, further actions vary
from victim to victim. As part of the initial activity, the attacker uses
a custom memory-based dropper called “TEARDROP”. This previously unknown
malware is said to continue as a service and in at least one case be used to
smuggle in a Cobalt Strike Beacon, although it is also possible that it can be
used to smuggle in other malicious code.
Get Highly Privileged Access.
After
these initial steps, the attacker uses better-known techniques, such as
PowerShell and native utilities, to increase their access rights and move
around the victim's network. The attacker is now trying to disguise
commands and to integrate himself into certain legitimate activities.
As
reported further, the attacker compromises important authentication mechanisms
to gain highly privileged access. The misuse of SAML tokens plays
an important role in this and is currently being achieved by compromising the
company's SAML token signature certificates. The CISA Alert AA20-352A5 indicates that SAML token
abuse appears to be common in attacks associated with this attacker in addition
to those directly related to SolarWinds.
The attacker was observed using the access obtained via SAML to access important
resources in the victims' cloud and online services. This also includes
access to user files and emails. Microsoft has provided a very good resource for
the hunt down and the attacker's further activities from this operation.
The Main Goals
The main
goals of the attacker should be to establish long-term, permanent access to the
victim and the theft of sensitive data. The technical details of long-term
persistence is well described in the Microsoft blog, where abuse of
Federation Trusts and OAuth Applications or Service Principals are mentioned.
Relevant
reports by key stakeholders investigating the attack highlight the attacker's
sophisticated skill set and operational security considerations that enabled
them to camouflage themselves with legitimate functions. Therefore,
organizations with the appropriate antivirus installed should take reasonable
steps to investigate, contain, and eliminate this threat.
An Ongoing Investigation
It is
important to note that the public's understanding has been updated as the
numerous investigations progressed. An important update since the first
publication is the clarification of the cluster activities “SUPERNOVA” and
“COSMICGALE”, which are not directly related to the actual compromise of the
SolarWinds supply chain. These activities are reportedly related to the
exploitation of CVE-2019-8917 and are being pursued as standalone attackers by
both Microsoft and FireEye. Detection of this malicious activity is still
important, but it should not be assumed to be related to the larger SolarWinds
activity cluster.
What Your Company Should Do About the Solar Winds Hack
The
attacker's sophisticated skills enable him to mix his activities with
legitimate business functions. Therefore, it is critical that companies
that have installed the affected software take steps to investigate, contain,
and remediate this threat.
All
servers that have the vulnerable software installed should be isolated and
examined for signs of compromise. According to the investigation,
companies should install the hotfix for the SolarWinds Orion Platform as a
priority, which updates the product to version 2020.2.1 HF 2 ″.
SolarWinds
reports that the hotfix removes the compromised items added by the attacker and
includes additional security enhancements for the product. This measure
should reduce the risk of active exploitation by the backdoor, but it would not
completely prevent active compromise beyond the backdoor.
More Needs to Be Done
These
attacks are generally interpreted as a part of a cyber espionage campaign but
are of concern to companies worldwide. Similar approaches are used by
highly skilled attackers in critical industries to aggressively acquire network
access.
This is
part of a “hybrid” approach to show of force and warfare that could now
infiltrate corporate networks anywhere. The attacks also have a
destabilizing effect. They undermine trust in the technology and security
companies we rely on to enable an increasingly digital economy.
However, there is hope
that the backlash against the SolarWinds hacks could have a positive effect. The
international community has recognized that more needs to be done. The
determination to collaborate across international borders and between governments
and private companies has increased.
- Get link
- X
- Other Apps
Comments
Post a Comment