Solar Winds Continue To Blow
Published on 27/01/2021
Since news broke last month about the Solar Winds supply chain attack, a number of our concerned clients have sought advice on how to best remediate the impact of the software compromise. So, what exactly happened in this attack and what should we do about it?
In early December 2020, it was reported that highly capable cyber attackers had managed to gain access to a significant number of major organisations in the US by compromising network management software developed by SolarWinds. The attackers, widely believed to be linked to the Russian state, inserted their own malicious software known as Sunburst into a legitimate update of an IT performance monitoring platform called ‘Orion’.
It has been estimated that around 18,000 SolarWinds customers installed the compromised update and around 80% of those compromises have occurred in the US. The list of SolarWinds customers includes the top ten US telecommunications companies, the top five US accounting firms, and elements of the US Military, the Pentagon and State Department. There have also been a smaller number of victims in many other countries including the UK, as evidenced by enquiries we have already received from concerned clients.
Although many companies reported that they were infected with the compromised SolarWinds update, there has been little evidence so far to suggest that the Sunburst backdoor has been widely exploited by the attackers. It appears to be an attack aimed at reconnaissance and gathering information, rather than disrupting or destroying data. The company themselves have released a patch and upgrade for the Orion platform and major victims, including Microsoft and FireEye have also released a kill switch. Any SolarWinds users who have not yet updated their systems should do so immediately.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also published a second advisory to help organisations analyse Microsoft-based cloud setups for any indications of malicious activity linked to the SolarWinds attack. Additionally, CISA have made available a tool called ‘Sparrow’ which can help detect possible compromised accounts and applications in Azure Microsoft 365 environments.
After the devastating NotPetya ransomware attacks in 2017 that were also facilitated by a compromised software update, this latest example emphasises the significance of the supply chain threat and the increasing dependency on software providers. These sophisticated attacks can be very hard for organisations to detect and the SolarWinds attack provides further evidence that organisations should review and update their own supply chain assurance processes and policies. Where they have a large supply chain, organisations should risk assess suppliers based upon criteria such as whether they have access to the organisation’s data or systems, and how business critical they are to organisation processes. This will enable them to identify and prioritise the suppliers posing the highest risk and requiring the most scrutiny.
One security consideration that could have helped mitigate the potential impact of the Solar Winds attacks would have been the adoption of a Zero-trust security approach. Many traditional technologies allow users to have unrestricted access to everything within a network which enables the kind of lateral movement and access escalation that was seen in this attack once the network had been initially compromised. A zero-trust architecture would have ensured that no one from inside or outside the network was trusted by default and verification would have been required whenever the attackers attempted to access wider network resources.
Another key concern is that the success of this attack has now provided a proof of concept to the many resourceful and agile organised crime groups that can rapidly adapt their business models to exploit new techniques and maximise their returns. We know from experience that where state level actors have previously succeeded in attacks, cyber criminals have followed soon after, so we expect copycat attacks to increase due to the opportunity to simultaneously infect multiple victims in this way.
Whether you are a Solar Winds customer and you think you have been a victim of this attack, or you are just looking for more information on how to enhance your Cyber Security defences, please click here to enquire.
This article was published in partnership with our cyber security partners PGI.
© SES Secure Limited and ses-escrow.co.uk, 2021. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.