It has been reported that state-sponsored hackers – suspected to be working for Russia – have been monitoring emails at the US Treasury Department and another American federal agency for months. The US intelligence community is reportedly concerned that the hackers who targeted the Treasury and an agency of the Commerce Department may have been spying on other agencies too.
This is significant example of a well-executed supply chain attack compromising a popular IT administration tool as a penetration mechanism. The subsequent exploitation of authentication controls enabled the threat actor to pivot to the cloud and operate undetected for an extended time in Microsoft 365, which allowed them to gather intelligence. The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive calling on “all US federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
As organisations increasingly become hybrid cloud environments, we’ve seen attackers focus on privileged access and the use of legitimate tools for malicious actions. For example, in a recent study of 4 million Microsoft 365 accounts, we identified that 96% of organisations exhibited lateral movement behaviours including multifactor authentication (MFA), and embedded security controls that are being bypassed. A threat actor can then, with a few clicks, reconfigure email rules, compromise SharePoint and OneDrive file stores, and set up persistent reconnaissance and exfiltration capabilities using built-in M365 tools such as eDiscovery and Power Automate. Opportunities for these kind of attacks like this are vast and growing. It highlights the need for security teams to be able to tie together all host and account interactions as they move between cloud and on-premise environments in a consolidated view. Security teams also need to drastically reduce the overall risk of a breach by gaining instant visibility and understanding of who and what is accessing data or changing configurations, regardless of how they are doing it, and from where.
News of a breach with the potential size of the one carried out on the U.S. Treasury and Commerce Departments is eye opening and of big concern. In addition, the directive from the Cybersecurity and Infrastructure Security Agency (CISA) urging all public and private sector companies to assess their exposure to the massive hack and plea to disconnect or power down Solar Winds products is exceedingly infrequent. Quite frankly, I am shocked. People need to pay attention to this directive and respond. Not later today or tomorrow, but now.
The good news is that the infrequency of these types of directives will catch everyone’s eye and reinforce the seriousness of this latest breach. In other words, this warning should not go unnoticed. Since Solar Winds has tens of thousands of customers and more than 400 out of the world’s Fortune 500, a bold action like this was needed and required across the public and private sector.
Amazingly, this directive is the first of this scale that we have seen in 2020. Now we all want to know what the private sector companies protected in part by Solar Winds will do. We should all be listening carefully to Solar Winds as well. As defenders, their first job is protecting their clients, but they hold vital pieces of information as well. Their transparency and openness is extremely important. Playing the victim card in these instances is unacceptable. In the short term for any customers of Solar Winds it is time to create a task force or war room to hunt adversaries and deal with the specific TTPs, vulnerabilities and exploits in question.
Let us all remember the fog of cyber way makes things in the moment very hard to tell and difficult to assess, but over time, whether its days, weeks or months it will become clear. Today, this is a security drill that no one wants as 2020 gets in its parting shots. As public and private sector companies share common tools, practices and managed services, it is important to remember that homogeneity makes can make us vulnerable and these threats can spread like wildfire if not dealt with immediately.
The good news is that a lot of companies are an IT freeze due to end-of-year shopping and slowdowns for Winter holidays. The bad news any organisations and companies are looking to go into the black on the books since they have been in the red most of the year due to COVID. Any type of breach that slows down businesses the remaining few weeks of 2020 will only provide with another reminder of how difficult a year it has been.
With the U.S. government looking to transition between administrations, and cyber activity that leads to lockdowns and freezes has the potential to slow or damage government transition work. With the inauguration in January, it is important that first we do not allow any damage, but also after that the government can proceed in its normal transition of administrations. Now is the time to listen to CISA and the government and to carefully manage the need to stay open and servicing the public for the private sector as well as the need to continue government operations and transition while minimising complexity and risk to security and privacy.