We asked cyber pros to weigh-in on the FireEye red team tools breach and the SolarWinds Orion supply chain attack, which was the cause of the breach. The supply chain attack, which has affected around 18,000 SolarWinds Orion customers, is thought to have been executed by a sophisticated nation-state threat actor.
Ofer Israeli, CEO and founder of Illusive Networks:
“This breach, in which attackers were living in the system undetected for months, shows the critical importance of lateral movement detection and unnecessary credential remediation. These threat actors were using standard living off the land techniques – leveraging legitimate credentials and connectivity. This is some of the hardest movement to identify, as it appears natural.
A more active approach is needed. It has to be assumed that attackers are getting in, and it’s what we do once they’ve breached that will make the most difference. Once companies understand and appreciate the importance of placing focus on paralyzing attackers inside the network, the greater the chance they have of assembling the necessary technology and tools to robustly secure that network.
CISA is mandating that affected, or potentially affected systems be forensically imaged immediately. The importance of obtaining a full forensic picture, which is then delivered to security teams for remediation and further action, can’t be understated. Ideally security teams will see this as a learning opportunity to make sure their preferred active defense tools have this deterministic capability. Only then can they prepare more thoroughly for future attacks, which is paramount in the fight against cybercrime.”
Jamil Jaffer, former WH exec and SVP for Strategy, Partnerships & Corporate Development at IronNet
"SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer's network. According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6% of its customers) deployed a version of the Orion platform that may have been compromised. Given previous attacks of this kind, it is likely that the scope of this threat is broader than the handful of agencies confirmed to be involved thus far. Moreover, it's worth noting that Secretary of State Pompeo suggested that a number of private sector entities were also likely targeted. Given the scope and nature of the vulnerability, and the ability to gain and escalate privileges in a significant way, it is important that affected entities apply the current patch available as well as any other appropriate patches as released.
The jury is still out on whether or not this vulnerability has been exploited before and if it's part of a broader campaign. Although this event is certainly a big deal, the idea that foreign adversaries are leveraging attacks to collect intelligence is not a new concept. Moreover, there is no information yet to suggest that the access obtained through this vulnerability was used to manipulate, modify, or destroy information. Were such information to come to light, we might be presented with a very different scenario than what is currently before us.
This event does highlight the challenge of managing the supply chain of individual organizations. Specifically, it demonstrates that even if a given organization has good defensive capabilities, it may be vulnerable to attacks targeting its vendors. Supply chain attacks, of course, are not new. Indeed, the classic story of the Trojan Horse itself is, in some sense, a supply chain attack. What is different about the modern era, of course, is how much of the modern supply chain relies on foreign sources. While this issue is not necessarily in play with this particular incident, our nation's reliance on foreign supply chains, particularly in China, are likely to continue to raise concerns. Moreover, this incident highlights the increasingly important national security role of a diverse set of agencies like the Departments of Treasury and Commerce and the increased threat of nation-state attacks targeting such agencies."
Danny Jenkins, CEO and co-founder, ThreatLocker, an Orlando-based application security company:
“We’ve seen a rise in exploits against RMM tools over the past year and unfortunately, these types of gateway attacks are all too common as monitoring solutions, antivirus and RMM tools often contain vulnerabilities or API keys that allow malicious actors to deploy attacks on a mass scale.
While SolarWinds took immediate action releasing a hotfix shutting down all servers until they are updated, the challenge with these types of systems is that they are connected to many different devices. Because the Orion server was likely hosted on the government private network, ACLs should have restricted which IP addresses it could connect to. We can also assume that the ACLs were either poorly managed or that someone was able to bypass the government network, possibly through FireEye.
To prevent similar attacks in the future, better review of software code and server-side security is crucial, as attacks can be crippled by limiting permissions on the host itself. For example, file permissions, blocking internet access from the server, and ringfencing are all ways that can prevent gateway attacks. Implementation of legislation such as the I.T. Modernization Act will also play a critical role in preventing these types of breaches, which lists basic controls like application whitelisting as an essential requirement, and that would have stopped this attack from being successful.”
Matt Walmsley, EMEA Director at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:
“The attack’s early phases included the manipulation of Security Assertion Mark-up Language (SAML) authentication tokens in the pursuit of escalating privilege access by manipulating authentication and authorization controls used in Single Sign On (SOO). That illicitly gained privileged access can then be used to move from the attacker’s on-premise beach head over to the target’s Microsoft 365 instance. Once inside this pervasive SaaS solution and all the information riches it contains, they could use Microsoft’s built-in tools to extend and perform their clandestine operations. For example:
Set up new privileged accounts
Define exchange email routing rules to surreptitiously redirect copies of certain emails,
Use eDiscovery to perform extensive reconnaissance and information gathering of shared SharePoint and OneDrive repositories
Use PowerAutomate to setup automated workflows that bring the above activities together and run them autonomously while quietly exfiltrating data
IT administrators and security teams have access to highly privileged credentials as part of their legitimate work. Attacking the digital supply chain of their software tools is an attempt to gain penetration and persistence right at the heart of their operations, gain privileged access and to provide springboard out across their digital hybrid-cloud enterprise. Recent research from 451 Group identified that only 3.5% of respondents perceived SaaS applications as the greatest risk to their organization, yet this attack demonstrates the value within and so targeting of SaaS application like Microsoft 365 where so many organizations’ employees go to work and keep so much valuable information.”
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:
“Cyber espionage campaigns can target both the public and private sector, as proven by this attack. Adversarial nation-states have recognized the value in targeting both sectors, which means neither is safe from the types of attacks that have government resources behind them. Attackers will continue to get more creative with their campaigns as cybersecurity protections get more advanced.
Infecting the legitimate software updates of a widely-used vendor can be an effective way to covertly inject malware into a large number of organizations. If successful, this form of software supply chain attack can be used to attack an entire industry in one swoop.
In order to avoid this type of attack, it’s key to have visibility into all internal and third-party software in your infrastructure. Apps and updates from other vendors may be carrying infected code, excessive data access, or invasive permissions that violate your organization’s data risk policies. Your host infrastructure, mobile devices, and computers all represent potential access points for threat actors. You need to know where software vulnerabilities exist across your infrastructure. Limiting data access based on whether a device has any vulnerable software is a key step to protecting your entire infrastructure.
While details about the breach haven’t been released yet, the report does mention that the departments’ email traffic was being monitored. Most agencies in the Federal government use Microsoft Office 365 for email and as a productivity suite. If their email is being monitored, it’s not out of the question that they could have access to any sensitive documentation stored or shared in the platform. Email attachments that include highly sensitive documents such as an individual’s travel details during a campaign and spreadsheets that break down federal spending could be accessed.
Lookout found that mobile users with Office 365 or Google Workspace installed on their smartphone or tablet were 50% more likely to encounter mobile phishing than those without them. Executing attacks that leverage the name and appearance of known software increases the likelihood of success for the threat actor. If it’s something that can be accessed from both desktop and mobile, then those odds only increase.”
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services:
“There is a digitally signed component of SolarWinds that has a flaw allowing anybody to write to an executable. This essentially comes down to improper privilege management in a tool that is deeply embedded into system administration. Adversaries who weaponized this flaw allowed them to leverage all the capability of a remote management solution. The reason these systems are good targets is because they’re deeply embedded in systems operations and administration. These types of tools are allowed deep access to systems in a broad sweep across the enterprise. Managing and maintaining the volume of systems in enterprises today creates demand for a tool that eases administrative tasks. Unfortunately, the tasks that embedding software like RMM tools allows for the exact type of access and adversary would want. This includes transferring files, remote access, and system modification.”
###