FireEye
On December 8th, cybersecurity firm FireEye reported a breach of their network. According to FireEye, hackers gained access to their environment and were able to obtain many of their Red Team assessment tools. These tools are used to test customer environments by imitating hacker activities. FireEye was quick to confirm that the data did not include any zero-day exploits. In response to the breach, FireEye released a GitHub repository containing countermeasures to their breached Red Team tools. FireEye did not release details of the exploitation, just that it was highly sophisticated and likely a state-sponsored adversary.
Five days after the initial announcement, FireEye provided an update. On December 13th, 2020, FireEye posted a blog on their site providing additional information from the results of the investigation. The December 13th blog post identified more specifics of the breach. The analysis provided by FireEye identified the source of the breach to be the Orion network monitoring product from SolarWinds. According to FireEye, the breach was part of an extensive attack dating back to the Spring of 2020. On that same day, FireEye released a threat research article providing additional technical information regarding the attack. According to that article, the attack leveraged a supply chain attack to distribute malware dubbed SUNBURST.
SUNBURST
In the days since the initial revelation, many new details have come to light regarding the malware SUNBURST. SUNBURST leveraged a supply chain attack technique to implement a malicious version of an update for the SolarWinds Orion business software. The attacks targeted Orion software versions 2019.4 HF 5 through 2020.2.1—the versions released between March 2020 and June 2020. The SolarWinds update turned trojan allowed the attackers to not only access the target’s network but also provided the attacker with a backdoor, allowing them to move laterally once inside the network resulting in the theft of data. The specific file that was compromised is a SolarWinds DLL file, called SolarWinds.Orion.Core.BusinessLayer.dll. This DLL appears to be a legitimate component of the Orion Software framework and is a digitally signed Orion software component. The DLL contains a backdoor that communicates to third party servers via HTTP. Once the malicious file downloads to the target machine, it lies inactive for up to two weeks. When the malware executes, it disguises itself as a legitimate network protocol known as Orion Improvement Program or OIP, allowing the traffic to blend in with legitimate SolarWinds traffic.
There is not only one
Research by FireEye indicated that it was not just one update that was compromised but several updates from March 2020 to May 2020. Regardless of which update was installed, the sequence of events followed the same basic pattern; the update is installed, lies in wait for up to two weeks, and then, once active, attempts to resolve to a subdomain avsvmcloud[.]com. The Command and Control (C2) traffic was designed to mimic typical SolarWinds API traffic.
Now what?
SUNBURST has the IT community buzzing, and rightfully so. SolarWinds is one of the most widely used IT infrastructure monitoring programs in the world. It monitors network performance, servers and applications, and configuration management. It offers a lot of visibility into large complex computer networks remotely. So, when companies are told to shut off their monitoring solutions, it's important they have a backup plan for visibility. The full impact of this hack will not be known for some time. In the meantime, there are some steps that you can take to protect your business.
In Conclusion
This hack highlights a broader subject in the information technology ecosphere. There is a tendency to move back and forth between centralized and decentralized systems for a variety of reasons, such as cost, availability, and even COVID. Many companies choose to focus entire infrastructures around a toolset because of bulk pricing and the cost of hiring professionals to manage one toolset. Companies might want to rethink this strategy and start looking at how a failure with a critical vendor affects the redundancy of the management of systems. Perhaps now is the time to add a little bit of diversity to software and service selection as well as plan for a major security incident or critical outage with one of these big vendors. As mentioned earlier, the data from this attack is still coming out, but the best thing to do is keep to your security best practices as you move forward and plan for this type of event in the future.
[1] https://www.solarwinds.com/securityadvisory
[3] https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/