We have all been witnessing the global impact of the health and economic events of 2020. As the year draws to a close, we are also now witnessing the unfolding discovery and investigation of a cyberattack the scope of which continues to grow. The full extent of this attack and its repercussions may never be fully known.
In early December of 2020, the cybersecurity firm FireEye discovered it had been a victim of an attack. They were the first to detect and alert the world as to the magnitude of this attack. In the days following the initial discovery, they continued to provide communications outlining the details as they were discovered.
Initial discovery by FireEye
Initial information from FireEye disclosed that the software they use in penetration testing and security analysis services for their customers was stolen. They also reported that their investigations into the tactics and methods used to wage the attack were sophisticated and seemed to indicate the involvement of a nation-state. This information made the theft of those items puzzling to the security industry. Attackers with the indicated level of tradecraft and the resources of a nation-state are unlikely to need additional tools, especially ones that did not include any zero days or unknown capabilities.
FireEye’s internal investigation continued after their initial announcement and they have recently reported that the source of the compromise was due to a supplier-side attack through SolarWinds Orion, a popular network monitoring tool. This software is used by public and private entities worldwide. The malicious code was inserted into and delivered to the targets through legitimate software updates for Orion released by SolarWinds.
The attack implementation and command-control efforts were reported to be top-notch, and FireEye’s examination of the malware, methodologies and capabilities of the attack further confirmed their initial assessment that a nation-state was involved.
Campaign timeline identified
Indications are that attacks from this campaign originated in the spring of 2020 with other targets. This timing gave the attackers plenty of time to compromise networks and expand their influence within their early targets prior to discovery. The attackers’ fatal mistake was taking aim at FireEye; while the potential gain may have made FireEye an appealing target, it was also a risky one.
Because of the expertise and tools at FireEye, the attack was discovered quickly. And due to FireEye’s openness and commitment to the security industry, we now know much more about this attack campaign. Their release of details as they have been discovered has allowed other organizations to defend and recover from this attack. Without FireEye’s release of details and GitHub detection signatures, it’s likely that we would still not be aware of this attack.
Investigation continues and impact grows
FireEye is currently working with the FBI, SolarWinds and other parties in this ongoing investigation. It is now known that numerous departments of the U.S. Government have been impacted, including the Pentagon, The Department of Homeland Security, the State Department, the Commerce Department, the National Institutes of Health, various military departments, the Department of Veteran Affairs, and the Federal Treasury. Further additions to this list are expected and are likely to include other federal agencies, as well as private businesses.
While SolarWinds has indicated that only a small percentage (roughly 18,000) of its 300,000 claimed customers were impacted by this breach, it is also being reported that they serve numerous government agencies and most of the Fortune 500, making the impact of this attack significant. The possibility that these compromised companies are used to attack other companies in more supply chain linkages increases the potential scope of this attack tenfold.
What is SolarWinds doing?
The first step taken by SolarWinds to mitigate this attack was to release an uncompromised upgrade to Orion Platform to address the security vulnerability. This should be just the beginning of the steps SolarWinds should take to respond to this breach. They have issued a security advisory in regards to steps they recommend for their customers.
What should you do?
From the level of tradecraft that FireEye has reported with this campaign, any firm with an association to SolarWinds should assume total network compromise and the installation of additional backdoors. Utilize FireEye’s GitHub detection signatures for multiple toolsets to identify active attacks from the known SolarWinds malware, dubbed SUNBURST.
FireEye also identified that the attackers have custom code development capabilities, identified as one of the payloads of SUNBURST. This memory-only dropper is dubbed TEARDROP and has no code overlap with any previous malware. As the attackers recognize these same signatures, it’s assumed they will change tactics to avoid detection.
All standard breach recommendations apply:
- Update privileged account passwords immediately, and then move to change all passwords once you have a reasonable level of assurance that the attackers are out of your network.
- Ensure that all users are using multi-factor authentication (MFA), and then reset all sessions to reauthenticate using MFA immediately.
- Look for unusual activity on your network using either a user and entity behavior analytics (UEBA) solution or a network detection and response (NDR) or endpoint detection and response (EDR) tool that has been updated to look for indicators of compromise (IoCs) from the FireEye attack.
- Utilize a third-party experienced in breach response to perform a full assessment of your security stance.
Monitoring third-party access to your network should be done as an on-going security activity, but it’s especially important now that you talk to your vendors and partners to discover who may have been impacted by this breach, and how they are responding. Every organization should undertake this process because the ripples of this campaign are widespread. Review the activity in your third-party applications and consider suspending network access until a full review of activity for the past six months has been completed. At a minimum, you should segment and monitor this access.
Segmenting systems from access by the Orion servers is being recommended, but by their very nature the Orion servers are designed to talk to every system on the network. The question of blocking server access versus having critical systems unmonitored for issues and outages is a difficult one, and in the long term these systems must continue to be monitored.
Continuing protection from these types of attacks is needed, but there should be consideration given to the fact that any software supplier could fall victim to a similar attack. Micro-segmentation of your network and zero-trust strategies are your best protection for the future.
Full micro-segmentation protects systems from each other and can limit the scope of a breach. The associated network monitoring capabilities also help identify unusual traffic. Zero trust helps further restrict the scope of the attack by ensuring that no network is trusted, and that all application and system access requires strong authentication.
The interconnectivity of applications and access between vendors, partners, employees and customers will continue to amplify the risk of these types of attacks. No entity—government or otherwise—is fully safe, and continued vigilance is required. Creating a layered security program that provides defense in depth and robust detection capabilities that identify unusual behaviors and IoCs will help. But organizations can’t stop there; an incident response plan must be prepared and tested regularly.
From target to champion
Admissions of compromise are difficult to share, especially for a security firm. But the level of openness exhibited by FireEye during this incident has made the entire security industry stronger. With the level of detail and analysis they have provided, FireEye has proved to be a champion for security and their dedication, quick response and open communications are to be applauded.
Navigating the next steps
Sirius has a skilled security team with a depth of breach response experience. We can help you evaluate your risk, assess your overall security posture, and develop defense-in-depth and zero-trust strategies for the future of your security stance. Reach out to your Sirius representative or contact us today to learn more.