SolarWinds Attack: What We Know
In recent news, there has been a highly evasive attack that compromises the SolarWinds software from what appears to be a targeted supply chain attack. FireEye has discovered this supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
What We Know
FireEye has uncovered a widespread hacking campaign, also known as as UNC2452. The attack consisted of hackers gaining access to numerous public and private organizations around the world. They gained access via trojanized updates to SolarWind’s Orion IT monitoring and management software. This hack is the work of a highly skilled actor and the operation was conducted with significant operational security.
SUNBURST
According to FireEye, "SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST." After an initial dormant period of up to two weeks, this system retrieves and executes commands, called “Jobs”. These jobs have the abilist to transfer files, execute files, profile the system, reboot the machine, and disable system services.
What Is Next?
To protect clients, Eze Castle Integration applied the necessary updates and patches. Attacks like this demonstrate why a defense in depth approach is essential as it provides layered protection across multiple threat vectors. SIEM and advanced endpoint protection like SentinelOne are also essential.
With SIEM, firms have the ability to look for red flags including:
-
File hashes for Windows processes executed.
-
Correlations and alerts definitions have been added to SIEM for SolarWinds.
-
Domain names and IP addresses were checked on the Palo Alto logs.
-
IP addresses were scanned for in the Cisco ASA logs.
-
NCM server processes making connections to suspicious destinations on the Internet.
- Create forward looking detection rules. With SentinelOne you detect and block the malware samples associated with the breach.
Security Tips
- Patch Management is an essential line of defense in cybersecurity protection and ensuring system patches are current is essential to an organization’s security.
- It's not if, but when, your firm will be subject to a data breach. To prepare, have a Written Information Security Plan, Business Continuity Plan, and an Incident Response Plan specific to your firm at the ready.
- Employee training. After a large-scale, public breaches like this, hackers often take advantage by deploying sophisticated phishing scams. Employee training can help your firm detect and deflect phishing schemes.
- Password policy. Ensure your firm is following secure password management and best practices, like prompting employees to change their passwords often and utilizing strong and unique passwords.
- Have the right security layers in place. Ensure your firm has the right tools, technologies and training protocols to adequately protect the firm.
