Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
SolarWinds Breach Fallout Continues
The biggest story in cybersecurity today remains the SolarWinds malware compromise.
The first indications of the incident came to light on December 8 when FireEye announced that so-called “Red Team” tools (software used by FireEye to conduct penetration testing internally, and for customers) had been compromised.
Then, on December 13, news emerged that the U.S. Treasury and Commerce Departments had had their email systems compromised.
In the course of their investigation, FireEye had determined that the likely root cause of their breach – and of those in the government – was malware contained within certain versions of SolarWinds’ Orion Platform software. Widely used among large enterprises, Orion provides “centralized monitoring and management of your entire IT stack, from infrastructure to application,” and “scalable architecture that reaches across your physical, virtualized, and cloud IT environments”, according to SolarWinds’ website.
SolarWinds quickly confirmed that their software had been breached and infected with malware. They disclosed that several upgrades and patches of Orion Platform software issued between March and June 2020 contained “backdoor” malware that may have been used by attackers. According to the detailed analysis by FireEye, the backdoor malware sits dormant after installation for up to two weeks, after which it “retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.” The malware has been named variously SUNBURST or Solorigate by researchers in the cybersecurity industry.
In their security advisory, SolarWinds issued instructions on patching the affected versions, while FireEye released a blog providing technical background and guidance on the intrusion campaign, along with a set of recommended SUNBURST countermeasures on GitHub. Microsoft published a list of indicators of compromise (IOCs) on their blog. The Canadian Centre for Cyber Security issued an alert, and the U.S. Department of Homeland Security also released an emergency directive on how to respond to the incident.
In order to help stop the hacking activities, Microsoft and partners seized control of the web domain being used by the malware to report infections. Microsoft has been monitoring traffic on the domain in an effort to identify further victims. In addition, Microsoft has worked with FireEye and GoDaddy to develop a so-called “kill switch” for the malware by taking control of the IP addresses that the malware uses for its communications, thereby rendering it ineffective.
So far, Microsoft has identified and notified at least 40 companies infected with the malware. Some 80% of the victims are reportedly based in the United States, with the balance operating out of Canada, Mexico, the United Kingdom, Belgium, Spain, and the United Arab Emirates. And while the most sensational of the compromises involve branches of the United States government (in addition to Treasury and Commerce, the Centers for Disease Control and Prevention, the State Department, the Justice Department, some branches of the Pentagon, among others), over 40% of the victims are actually IT organizations.
Most companies in the private sector have not been publicly identified as yet; however, Internet service provider Cox Communications, which operates in 18 American states, was reportedly breached. Cisco has contained a limited breach on a small subset of their servers. Credit rating service Equifax was reportedly involved in the compromise. In fact, Microsoft determined that they themselves had been infected, but have isolated and contained the systems involved.
The Canadian entities involved in the breach have not been publicly identified. And in contrast to the breaches in the United States government, the Canadian government appears to be unaffected at this stage.
In his December 17 blog post, Microsoft President Brad Smith said, “It’s certain that the number and location of victims will keep growing.” Indeed, SolarWinds has advised that at least 18,000 of their customers downloaded versions of the infected patches, so the potential for additional victims is significant. On its website before the breach, SolarWinds advised that some 425 of the Fortune 500 companies use its software. That announcement, along with a listing of SolarWinds’ top customers, has been removed from the site in recent days.
The length of time it took to identify the compromise makes this a particularly challenging and complex situation for incident response, reporting and analysis. Since the first compromised patches went out in March, some companies may have been exposed for several months, with no clear way to determine the extent to which – or even if – cybercriminals accessed their systems. More troubling is emerging news that researchers from security company Reversing Labs suggest that the first signs of compromise date all the way back to October 2019, when small “proof-of-concept” changes started appearing in SolarWinds patches.
CyberNews will return Monday, January 4, 2021. Happy holidays and stay safe.