News over the weekend of a massive breach by Russia’s APT 29 against the U.S. Treasury and U.S. Commerce Departments was eye-opening in its intensity. In addition, the CISA emergency directive urging all public and private sector organizations to assess their exposure and disconnect or power down the SolarWinds Orion products the attacks were tied to was a rare move: CISA issued such a directive for only the fifth time in its history.
The infrequency of these types of directives should catch everyone’s eye and reinforce the seriousness of this latest breach. In other words, this warning should not go unnoticed. Since SolarWinds has 300,000 customers and more than 400 out of the world’s Fortune 500, a bold action like this was needed and required.
Now, we all want to know what the private sector companies protected in part by SolarWinds will do. We also should all listen carefully to SolarWinds. As defenders, the company must first protect its clients, but it also holds vital pieces of information and they must move forward in a transparent manner. In the short-term, we think SolarWinds’ customers should create a task force or war room to hunt adversaries and deal with the specific TTPs, vulnerabilities and exploits in question.
As public and private sector companies share common tools, practices and managed services, it’s important to remember that homogeneity makes us vulnerable. This situation cannot be passed off to others; each organization has to own its space. That’s because the legitimate tools that make up that homogeneity are open to compromise.
Two points on this: First, the security incidents at the U.S. Treasury and Commerce Departments, as well as FireEye can be traced back to their use of the Orion platform. They didn’t fall for a phishing campaign or suffer a malware infection from an unapproved application. SolarWinds was trusted and welcomed through the front door. That’s how they got infected by the Sunburst Backdoor, the malware delivered by SolarWinds Orion software. In fact, FireEye Sunday reported that SolarWinds pushed multiple trojanized updates between March and May of 2020, installing the Sunburst backdoor. The attacks are not limited to government, wrote FireEye, and also hit the consulting, technology, telecom sectors. The attacks were also not limited to the United States, also hitting Europe, Asia and the Middle East.
Second, it just goes to show the limits of cyber hygiene. SolarWinds has a stellar reputation, it’s signed and legitimate software. This attack consisted of a valid, signed Symantec certificate on a normal SolarWinds Orion update. No hygiene in the world would have blocked that. The malicious actors had infected the distribution systems and/or signed libraries, a move which almost ensured that detection wouldn’t be straightforward.
If your organization uses the SolarWinds Orion product, security teams are advised to strengthen their security posture as follows:
- Isolate machines running SolarWinds until further information emerges as the investigation unfolds.
- Reimage the impacted machines.
- Reset credentials for accounts that have access to SolarWinds machines.
- SolarWinds customers should upgrade to Orion Platform version 2020.2.1 HF1 as soon as possible, they’ve also provided further mitigation steps
With the U.S. government looking to transition between administrations, cyber activity that leads to lockdowns and freezes has the potential to slow or damage government transition work. With the inauguration in January, it’s important that we do not allow any damage. After that, the government can proceed in its normal transition of administrations.
We’re left with this: Now’s the time to listen to CISA and the government and to carefully manage the need to stay open and service the public for the private sector as well as the need to continue government operations and transition while minimizing complexity and risk to security and privacy.
In the meantime, we all need to take on a robust, behavioral, post-breach mindset. Everything was working as it should, but Orion became the point of infection. It’s not merely just a technology issue. It’s also a people and process issue, and while cyber hygiene always matters, after a certain point effective detection capabilities matter more.
Sam Curry, chief security officer, Cybereason