As teams responded quickly to the news, we look back in retrospect and ask, “could anything have been done to stop the attack? What techniques should have been in place to prevent propagation?”
As an immediate stopgap, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive6 ordering all federal agencies to immediately disconnect the affected Orion products from their networks. This best practice approach is now being adopted by many commercial entities as part of their risk mitigation process:
Discover and Analyze
- Identify all systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. Analyze for new user or service accounts, privileged or otherwise.
- Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
Respond and Remediate
- Disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
- Until affected entities can rebuild the Windows operating system and reinstall the SolarWinds software package, they are prohibited from (re)joining the Windows host OS to the enterprise domain.
- Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
- Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
Microsoft took part in analyzing the attack7 and responding with a counter campaign,8 by seizing domains of the attackers. Even though there is no definitive decision regarding the attack vector through which SUNBURST was introduced, there are additional schools of thought including the claim that CVE-2020-14005 & CVE-2020-13169 were related to the breach. Our Research Labs took immediate steps to add these CVEs to the Skybox Vulnerability Dictionary.9
Preventing similar attacks in the future requires a fresh approach to vulnerability management
Looking at the modus operandi of this Russian-sponsored APT actor, known as APT29, or Cozy Bear, our Research Lab indicated that the SUNBURST malware is very sophisticated with various obfuscation techniques and multiple C2 servers. Its post-compromise activity includes lateral movement and data theft. CERT10 says this group generally operates by “obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets in order to exfiltrate data.”
In November, Vinoth Kumar, a security researcher reported to SolarWinds that their update server was accessible with a weak password that had been open for a long time before he reported it. They fixed the issue shortly after. Kumar stated11 that it was possible the attackers could have used the same FTP credentials, acquired a signing certificate and they could modify the .dll, sign it, and upload it to the FTP server.
How do organizations as large as SolarWinds keep track of the millions of credentials while keeping up with the deepening flood of vulnerabilities appearing on a daily basis? Effective vulnerability management requires a fresh outlook. Traditional threat management methods of scanning assets for improper configurations and remediating through patching or segmenting continue to fail. Risk and security professionals must utilize deep context to target assets that are high value (such as development and update servers) that contain vulnerabilities that are exploited in the wild but more importantly are exposed to threat actors seeking to breach these assets. The magic combination of exploitability and exposure analysis based on a solid foundation of asset intelligence produces a focal point for remediation to be done quickly and effectively.
Why Skybox for Vulnerability and Threat Management?
The Skybox platform proactively protects against breaches by building a solid, aggregated repository of asset intelligence collected from over 150 data sources. Skybox Vulnerability Control enables security teams to instantly focus their attention daily on assets that are truly vulnerable — exposed to threat origins anywhere in your network. Advisories such as SolarWinds are incorporated into our daily intelligence feeds helping companies to address the following questions:
What is a realistic picture of my attack surface?
Skybox combines data insight from asset and patch management systems and network devices with scan data along with rich context from our daily research-developed threat intelligence feed to build an accurate network model of the most complex environments. This context-rich assessment produces an accurate picture of the true attack surface — for on–premises, multi–cloud and operational technology (OT) networks.
If a breach occurs, what is the actual blast radius?
In a typical customer environment with over 1.5 million vulnerability occurrences, vulnerabilities with critical or high severity CVSS scores represented 28% of occurrences, while only 11% were severe and exploitable. Further deep contextual analysis on assets of high importance that were exposed to threat origins (internal or external) revealed only 0.1% of these vulnerabilities warranted immediate remediation.
What are my most effective remediation options?
Because of our network insight, remediation options aren’t limited to just patching; Skybox informs you of IPS signatures and helps plan network–based changes that cut off vulnerable assets from attack paths.
How do I limit my risk analysis in the future to focus only on high-risk areas?
The Skybox Vulnerability dictionary contains over 5.4 million records, updated on a daily basis by our elite Research Lab. Updates include advisories from key vendors of high priority and enterprise-grade products alongside advisories from the NVD database and many other sources. Skybox customers can see the relevant compromised software via the Skybox Vulnerability Dictionary available in Vulnerability Control. Our passive vulnerability management highlights gaps in network infrastructure without creating disruption of key devices such as routers and firewalls. Remediation options such as changes to firewall rules can be initiated quickly and effectively.
As attackers continue to evolve their expertise and ability to exploit vulnerabilities, security tools must accurately predict attack paths and provide the means for exposed assets to get the full attention of remediation teams.
How to remediate SolarWinds with Skybox: step-by-step guide
Learn more about Skybox Vulnerability Control
Explore advisories on the Skybox Vulnerability Center
- 2020 Data Breaches: The most significant breaches of the year: https://www.identityforce.com/blog/2020-data-breaches
- SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory
- FireEye Threat Research Blog: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- Microsoft breach: https://www.cnet.com/news/microsoft-says-solarwinds-hackers-viewed-source-code/
- DoE breach: https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855
- CERT advisory: https://cyber.dhs.gov/ed/21-01/
- Microsoft customer guidance on the attack: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- Microsoft’s role in SolarWinds breach: https://www.crn.com/news/security/microsoft-s-role-in-solarwinds-breach-comes-under-scrutiny
- Skybox Vulnerability Center: https://www.vulnerabilitycenter.com/#!vendor=SolarWinds
- CERT and Russian threat actors operating plan: https://us-cert.cisa.gov/ncas/alerts/aa20-296a
- Vinoth Kumar report: https://www.theregister.com/2020/12/16/solarwinds_github_password/