SolarWinds supply chain attack, in which hackers (believed to be working for Russia) have tampered with software updates released by the company. Known victims of the attack so far include the US treasury, the US NTIA and FireEye itself.
I am left wondering if the "highly-sophisticated, targeted and manual supply chain attack" against Solarwinds was against an OSS library they used or targeted directly at the source code by an insider. https://t.co/Rxc4HrVNcw
<p>The SolarWinds breach is undoubtedly unprecedented and it is certainly not ‘just another data breach’. We’ve seen cyberattacks carried out by foreign intelligence services before, but none at this scale and with this much potential to cause catastrophic damage, the extent of which is currently unknown. </p> <p> </p> <p>What we do know is that a foreign adversary was able to gain access to the IT systems of the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States, stealing vast amounts of data in the process. </p> <p> </p> <p>Supply chain attacks like this have been a concern for the security industry for a long time; the threats posed by supply chain attacks are severe as not only are they typically more difficult to detect, but they often come through trusted third-parties with high levels of access to sensitive and classified data. </p> <p> </p> <p>This is where the problem lies. This demonstrates there is no such thing as an unreachable network, yet many organisations are still focused on controls that secure the network. The emphasis instead should be on controls that secure data. With a data-centric approach, organisations can ensure that even if the network of one of their suppliers or a trusted third party is compromised, their data will be secure. A software-defined approach to Information Assurance (IA) combined with the ability to deploy and manage seamlessly with technologies such as Layer 4 encryption, means that even if cyber hackers manage to infiltrate a network and ‘steal’ data, the contents of the data will be unreadable and effectively rendered useless. </p> <p> </p> <p>This won’t be the last data breach of this kind that we’ll see, so serious lessons need to be learned. These attacks are called ‘data breaches’, not ‘network breaches’, for a reason, so focusing on securing data is the only way for organisations to avoid becoming the next victim.</p>
<p><span lang=\"\\"EN-CA\\"\">Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.</span></p> <p> </p> <p><span lang=\"\\"EN-CA\\"\">This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization\\\’s broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management.</span></p> <p> </p> <p>Here are some best practices to mitigate misuse of keys and certificates:</p> <ul> <li>Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM</li> <li>Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.</li> <li>Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).</li> <li>Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.</li> <li>Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.</li> </ul>
Jamil Jaffer , Former WH Exec and SVP for Strategy, Partnerships & Corporate Development
InfoSec Expert
December 16, 2020 1:57 pm
SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer\’s network. According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6% of its customers) deployed a version of the Orion platform that may have been compromised. Given previous attacks of this kind, it is likely that the scope of this threat is broader than the handful of agencies confirmed to be involved thus far. Moreover, it\’s worth noting that Secretary of State Pompeo suggested that a number of private sector entities were also likely targeted. Given the scope and nature of the vulnerability, and the ability to gain and escalate privileges in a significant way, it is important that affected entities apply the current patch available as well as any other appropriate patches as released.
The jury is still out on whether or not this vulnerability has been exploited before and if it\’s part of a broader campaign. Although this event is certainly a big deal, the idea that foreign adversaries are leveraging attacks to collect intelligence is not a new concept. Moreover, there is no information yet to suggest that the access obtained through this vulnerability was used to manipulate, modify, or destroy information. Were such information to come to light, we might be presented with a very different scenario than what is currently before us.
This event does highlight the challenge of managing the supply chain of individual organizations. Specifically, it demonstrates that even if a given organization has good defensive capabilities, it may be vulnerable to attacks targeting its vendors. Supply chain attacks, of course, are not new. Indeed, the classic story of the Trojan Horse itself is, in some sense, a supply chain attack. What is different about the modern era, of course, is how much of the modern supply chain relies on foreign sources. While this issue is not necessarily in play with this particular incident, our nation\’s reliance on foreign supply chains, particularly in China, are likely to continue to raise concerns. Moreover, this incident highlights the increasingly important national security role of a diverse set of agencies like the Departments of Treasury and Commerce and the increased threat of nation-state attacks targeting such agencies.
This attack demonstrates the thought of the modern hackers and the new attack surface. Traditional tools can prevent or detect traditional attack vectors, but the ecosystem of the modern organization includes many other entry points. For organizations like FireEye, the weakest point is not in its network, but the weaker external services and infrastructures it relies upon.
In this instance, hackers used the third party to penetrate the network, however in many the supply-chain attacks, hackers achieve their objectives without this, either by stealing the data directly from the third-party or by abusing the third party such that the info will reach the hackers without going through the organization’s network (e.g. Magecart attacks).
Expect further hacking campaigns that will abuse an organization\’s ecosystem, simply because it is the easiest way to penetrate many of the hottest targets today, and because ironically, some of these attack vectors are cheaper to use and more difficult to detect.
<p>The SolarWinds breach is undoubtedly unprecedented and it is certainly not ‘just another data breach’. We’ve seen cyberattacks carried out by foreign intelligence services before, but none at this scale and with this much potential to cause catastrophic damage, the extent of which is currently unknown. </p> <p> </p> <p>What we do know is that a foreign adversary was able to gain access to the IT systems of the Pentagon, all five branches of the U.S. military, the State Department, NASA, the NSA, the Postal Service, the National Oceanic Atmospheric Administration, the Department of Justice, and the Office of the President of the United States, stealing vast amounts of data in the process. </p> <p> </p> <p>Supply chain attacks like this have been a concern for the security industry for a long time; the threats posed by supply chain attacks are severe as not only are they typically more difficult to detect, but they often come through trusted third-parties with high levels of access to sensitive and classified data. </p> <p> </p> <p>This is where the problem lies. This demonstrates there is no such thing as an unreachable network, yet many organisations are still focused on controls that secure the network. The emphasis instead should be on controls that secure data. With a data-centric approach, organisations can ensure that even if the network of one of their suppliers or a trusted third party is compromised, their data will be secure. A software-defined approach to Information Assurance (IA) combined with the ability to deploy and manage seamlessly with technologies such as Layer 4 encryption, means that even if cyber hackers manage to infiltrate a network and ‘steal’ data, the contents of the data will be unreadable and effectively rendered useless. </p> <p> </p> <p>This won’t be the last data breach of this kind that we’ll see, so serious lessons need to be learned. These attacks are called ‘data breaches’, not ‘network breaches’, for a reason, so focusing on securing data is the only way for organisations to avoid becoming the next victim.</p>
<p><span lang=\"\\"EN-CA\\"\">Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.</span></p> <p> </p> <p><span lang=\"\\"EN-CA\\"\">This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization\\\’s broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management.</span></p> <p> </p> <p>Here are some best practices to mitigate misuse of keys and certificates:</p> <ul> <li>Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM</li> <li>Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.</li> <li>Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).</li> <li>Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.</li> <li>Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.</li> </ul>
<p dir=\"\\"ltr\\"\">Given the massive global scale of installations, the stakes are high with the SolarWinds hack. Many of these installations are across highly-sensitive industrial operations where network visibility is traditionally weaker. In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to <a href=\"\\"https://www.electricitysubsector.org/-/media/Files/ESCC/Documents/12142020ESCC-Statement.ashx?la=en&hash=77A13645EC52718725DDA834E2F321E2F6FEF43B\\"\" target=\"\\"_blank\\"\" rel=\"\\"noopener\\"\" data-saferedirecturl=\"\\"https://www.google.com/url?q=https://www.electricitysubsector.org/-/media/Files/ESCC/Documents/12142020ESCC-Statement.ashx?laenhash77A13645EC52718725DDA834E2F321E2F6FEF43B&source=gmail&ust=1608621544022000&usg=AFQjCNHowmDg7_AFOlIBeTrWrccFlW0Wjw\\"\">discuss</a> the emerging threat and how to respond. </p> <p dir=\"\\"ltr\\"\"> </p> <p dir=\"\\"ltr\\"\">You can not secure what you can’t see, so organizations across every industry must react by first identifying where SolarWinds software is installed across their environments. From there, they must further hone in on their inventory by determining the version(s) that are running to evaluate the vulnerability risk that may or may not be present. Without doing so, these risks get scaled in tandem with the vulnerabilities, and from the industrial perspective, this jeopardizes critical functions that impact everyday life.</p>
SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer\’s network. According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6% of its customers) deployed a version of the Orion platform that may have been compromised. Given previous attacks of this kind, it is likely that the scope of this threat is broader than the handful of agencies confirmed to be involved thus far. Moreover, it\’s worth noting that Secretary of State Pompeo suggested that a number of private sector entities were also likely targeted. Given the scope and nature of the vulnerability, and the ability to gain and escalate privileges in a significant way, it is important that affected entities apply the current patch available as well as any other appropriate patches as released.
The jury is still out on whether or not this vulnerability has been exploited before and if it\’s part of a broader campaign. Although this event is certainly a big deal, the idea that foreign adversaries are leveraging attacks to collect intelligence is not a new concept. Moreover, there is no information yet to suggest that the access obtained through this vulnerability was used to manipulate, modify, or destroy information. Were such information to come to light, we might be presented with a very different scenario than what is currently before us.
This event does highlight the challenge of managing the supply chain of individual organizations. Specifically, it demonstrates that even if a given organization has good defensive capabilities, it may be vulnerable to attacks targeting its vendors. Supply chain attacks, of course, are not new. Indeed, the classic story of the Trojan Horse itself is, in some sense, a supply chain attack. What is different about the modern era, of course, is how much of the modern supply chain relies on foreign sources. While this issue is not necessarily in play with this particular incident, our nation\’s reliance on foreign supply chains, particularly in China, are likely to continue to raise concerns. Moreover, this incident highlights the increasingly important national security role of a diverse set of agencies like the Departments of Treasury and Commerce and the increased threat of nation-state attacks targeting such agencies.
This attack demonstrates the thought of the modern hackers and the new attack surface. Traditional tools can prevent or detect traditional attack vectors, but the ecosystem of the modern organization includes many other entry points. For organizations like FireEye, the weakest point is not in its network, but the weaker external services and infrastructures it relies upon.
In this instance, hackers used the third party to penetrate the network, however in many the supply-chain attacks, hackers achieve their objectives without this, either by stealing the data directly from the third-party or by abusing the third party such that the info will reach the hackers without going through the organization’s network (e.g. Magecart attacks).
Expect further hacking campaigns that will abuse an organization\’s ecosystem, simply because it is the easiest way to penetrate many of the hottest targets today, and because ironically, some of these attack vectors are cheaper to use and more difficult to detect.