Could the “ex-factor” limit the blast radius and reduce the impact of the SolarWinds breach?
Jannine A. Mahone, Senior Manager, Product Marketing February 9, 2021
While the world waged war on an invisible virus, the Infosec community battled an equally invisible adversary. Overwhelmed by the volume of vulnerabilities, many lost the battle temporarily. The “breached” list for 20201 ran the gamut from retail to healthcare, transportation to tech, telecom, hospitality, and federal agencies. The attack techniques also ranged from phishing scams to ransomware attacks. Attacks such as that orchestrated through the SolarWinds malware revealed deep levels of sophistication and extended planning and reconnaissance. Savvy threat management teams have learned the value of combining vulnerability exploitability with exposure analysis as the secret sauce for limiting their remediation scope to assets at highest risk due to direct exposure to a threat actor.
Recap of the SolarWinds breach
The December 24 advisory2 from SolarWinds explained this now infamous event as a “cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.” Specifically, it permits an attacker to gain access to network traffic management systems and through lateral movement exfiltrate sensitive data.
This attack sent ripples through the infosec community as vulnerability teams scrambled to run scans and research the business impact of this newly identified threat.
What was the impact of this malware?
On December 13 FireEye published an advisory3 regarding its discovery of the supply chain attack trojanizing SolarWinds' Orion business software updates in order to distribute the SUNBURST malware. According to FireEye, the SUNBURST backdoor sits dormant for about two weeks then retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. This malware has propagated across a vast supply chain impacting organizations in all industries.
Organizations affected to-date include Microsoft4 and The National Nuclear Security Administration5 (which maintains the US nuclear stockpile). Intel, nVidia, and Cisco were also affected. The list of companies continues to grow as each day goes by.
How are companies addressing this now and in the future?
As teams responded quickly to the news, we look back in retrospect and ask, “could anything have been done to stop the attack? What techniques should have been in place to prevent propagation?”
As an immediate stopgap, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive6 ordering all federal agencies to immediately disconnect the affected Orion products from their networks. This best practice approach is now being adopted by many commercial entities as part of their risk mitigation process:
Discover and Analyze
- Identify all systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. Analyze for new user or service accounts, privileged or otherwise.
- Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
Respond and Remediate
- Disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
- Until affected entities can rebuild the Windows operating system and reinstall the SolarWinds software package, they are prohibited from (re)joining the Windows host OS to the enterprise domain.
- Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
- Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
Microsoft took part in analyzing the attack7 and responding with a counter campaign,8 by seizing domains of the attackers. Even though there is no definitive decision regarding the attack vector through which SUNBURST was introduced, there are additional schools of thought including the claim that CVE-2020-14005 & CVE-2020-13169 were related to the breach. Our Research Labs took immediate steps to add these CVEs to the Skybox Vulnerability Dictionary.9
Preventing similar attacks in the future requires a fresh approach to vulnerability management
Looking at the modus operandi of this Russian-sponsored APT actor, known as APT29, or Cozy Bear, our Research Lab indicated that the SUNBURST malware is very sophisticated with various obfuscation techniques and multiple C2 servers. Its post-compromise activity includes lateral movement and data theft. CERT10 says this group generally operates by “obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets in order to exfiltrate data.”
In November, Vinoth Kumar, a security researcher reported to SolarWinds that their update server was accessible with a weak password that had been open for a long time before he reported it. They fixed the issue shortly after. Kumar stated11 that it was possible the attackers could have used the same FTP credentials, acquired a signing certificate and they could modify the .dll, sign it, and upload it to the FTP server.
How do organizations as large as SolarWinds keep track of the millions of credentials while keeping up with the deepening flood of vulnerabilities appearing on a daily basis? Effective vulnerability management requires a fresh outlook. Traditional threat management methods of scanning assets for improper configurations and remediating through patching or segmenting continue to fail. Risk and security professionals must utilize deep context to target assets that are high value (such as development and update servers) that contain vulnerabilities that are exploited in the wild but more importantly are exposed to threat actors seeking to breach these assets. The magic combination of exploitability and exposure analysis based on a solid foundation of asset intelligence produces a focal point for remediation to be done quickly and effectively.
Why Skybox for Vulnerability and Threat Management?
The Skybox platform proactively protects against breaches by building a solid, aggregated repository of asset intelligence collected from over 150 data sources. Skybox Vulnerability Control enables security teams to instantly focus their attention daily on assets that are truly vulnerable — exposed to threat origins anywhere in your network. Advisories such as SolarWinds are incorporated into our daily intelligence feeds helping companies to address the following questions:
What is a realistic picture of my attack surface?
Skybox combines data insight from asset and patch management systems and network devices with scan data along with rich context from our daily research-developed threat intelligence feed to build an accurate network model of the most complex environments. This context-rich assessment produces an accurate picture of the true attack surface — for on–premises, multi–cloud and operational technology (OT) networks.
If a breach occurs, what is the actual blast radius?
In a typical customer environment with over 1.5 million vulnerability occurrences, vulnerabilities with critical or high severity CVSS scores represented 28% of occurrences, while only 11% were severe and exploitable. Further deep contextual analysis on assets of high importance that were exposed to threat origins (internal or external) revealed only 0.1% of these vulnerabilities warranted immediate remediation.
What are my most effective remediation options?
Because of our network insight, remediation options aren’t limited to just patching; Skybox informs you of IPS signatures and helps plan network–based changes that cut off vulnerable assets from attack paths.
How do I limit my risk analysis in the future to focus only on high-risk areas?
The Skybox Vulnerability dictionary contains over 5.4 million records, updated on a daily basis by our elite Research Lab. Updates include advisories from key vendors of high priority and enterprise-grade products alongside advisories from the NVD database and many other sources. Skybox customers can see the relevant compromised software via the Skybox Vulnerability Dictionary available in Vulnerability Control. Our passive vulnerability management highlights gaps in network infrastructure without creating disruption of key devices such as routers and firewalls. Remediation options such as changes to firewall rules can be initiated quickly and effectively.
As attackers continue to evolve their expertise and ability to exploit vulnerabilities, security tools must accurately predict attack paths and provide the means for exposed assets to get the full attention of remediation teams.
- 2020 Data Breaches: The most significant breaches of the year: https://www.identityforce.com/blog/2020-data-breaches
- SolarWinds Security Advisory: https://www.solarwinds.com/securityadvisory
- FireEye Threat Research Blog: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- Microsoft breach: https://www.cnet.com/news/microsoft-says-solarwinds-hackers-viewed-source-code/
- DoE breach: https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855
- CERT advisory: https://cyber.dhs.gov/ed/21-01/
- Microsoft customer guidance on the attack: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- Microsoft’s role in SolarWinds breach: https://www.crn.com/news/security/microsoft-s-role-in-solarwinds-breach-comes-under-scrutiny
- Skybox Vulnerability Center: https://www.vulnerabilitycenter.com/#!vendor=SolarWinds
- CERT and Russian threat actors operating plan: https://us-cert.cisa.gov/ncas/alerts/aa20-296a
- Vinoth Kumar report: https://www.theregister.com/2020/12/16/solarwinds_github_password/