The SolarWinds breach: two months later
The massive SolarWinds breach has dominated cybersecurity headlines since December 8, 2020, when FireEye announced that their Red Team penetration testing software had been stolen, likely by a state-sponsored actor. This past week saw a few more evolving stories in the news:
Story 1: While most of the focus around the breach still revolves around suspected Russian-backed interests, Reuters has reported that suspected Chinese hackers also broke into U.S. government systems by exploiting SolarWinds security flaws. “While the alleged Russian hackers penetrated deep into SolarWinds network and hid a ‘back door’ in Orion software updates which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion’s code to help spread across networks they had already compromised,” according to sources quoted in the article. Using infrastructure and hacking tools from other breaches, Chinese attackers allegedly used SolarWinds vulnerabilities to penetrate multiple targets, including the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture.
Story 2: Law firms across the Unites States have accelerated their notifications to potential litigants about the March 5, 2021 deadline to designate the role of “lead plaintiff” in a federal securities class action that has been filed against SolarWinds. (A lead plaintiff is a party that acts on the behalf of the other members of a class action in directing the litigation. In order to be appointed lead plaintiff, the Court must determine that the class member’s claim is a “typical” one among those of the other class members, and that lead plaintiff can adequately represent the class. In some cases, multiple class members may work together to serve as lead plaintiff.)
The class action was filed in early January by New York-based Rosen Law Firm, a global investor rights law firm. The suit revolves around the issues of whether the SolarWinds and its executives violated federal securities laws by making false/misleading statements and/or failing to disclose important information about the breach in a timely fashion.
Story 3: Last week, current SolarWinds CEO Sudhakar Ramakrishna again confirmed that hackers likely had access to the company’s email system for close to a year. In an interview, Ramakrishna noted that hackers likely first breached SolarWinds DevOps infrastructure on September 2019, quietly deploying malware into Orion software patches. By December 2019, the infected patches had been released and hackers were able to gain access to at least one of the company’s Office 365 email accounts. The hackers pivoted to gain surreptitious access to additional accounts; eventually, according to Ramakrishna, the broader Office 365 environment was compromised until the discovery of the breach in December 2020.
Story 4: Researchers at security firm Trustwave have identified three new SolarWinds software bugs – two in the Orion software that was involved in the original breach, and a third in SolarWinds’ Serv-U FTP software. SolarWinds has issued advisories and patches for the vulnerabilities, which have not been seen “in the wild” as yet. Trustwave disclosed the bugs to SolarWinds in late January, and have intentionally suppressed “proof of concept” demonstrations of how to exploit the vulnerabilities in an effort to afford users enough time to patch their systems. However, Trustwave has confirmed they will be publishing a proof-of-concept description on their corporate blog by February 9, 2021.
The three bugs have different impacts on SolarWinds systems:
1. The first enables an unauthenticated user to gain complete control over the target’s SolarWinds Orion system remotely, even without having any compromised credentials available;
2. The second enables a hacker to log into the SolarWinds Orion infrastructure either locally or via RDP and obtain a clear text password for the organization’s back-end database, from which they can exfiltrate data, or in which they can create new admin accounts; and
3. The third is a directory access control bug in SolarWinds’ Serv-U FTP product that enables an authenticated – albeit unauthorized – local or remote user to create a new user profile with admin rights.
Linux Alert: High/critical bug in “sudo” admin command
A bug introduced in a July 2011 version of the “sudo” command in Linux has been found to contain a serious flaw. The 9½-year-old vulnerability, coded as CVE-2021-3156 and nicknamed “Baron Samedit,” was discovered by security firm Qualys in January, and patched with the release of “sudo” version 1.9.5p2.
The bug allows an attacker who has gained access to a low-privilege account to easily gain administrator (i.e., “root”) access to the Linux system, at which point they can assume full control of the compromised system.
CERT has compiled a list of currently known affected versions of Linux at https://kb.cert.org/vuls/id/794544. It is strongly recommended that all Linux systems be evaluated and patched as soon as patched versions of “sudo” are available for their operating systems. Note that even the Mac O/S has been identified as a potential area of compromise, according to a recent report by security news service ZDNet.