*UPDATED, 30/11/2023 - SEC VS SolarWinds CISO*
The compromise of SolarWinds' Orion IT network management platform dominated headlines due to the scope, impact, and stealthy nature of the attack. In what is known as a "supply chain" attack, SolarWinds, a major software company based in Tulsa, Oklahoma, was compromised by suspected nation-state hackers. During this hack, the company’s IT performance monitoring system’s internal build and update-distribution systems were compromised and malicious updates were sent to 18,000 of 33,000 of their customers. This unprecedented cyberattack is one of the largest ever recorded, and according to SolarWinds' SEC 8-K filing, the hackers were able to hide in plain sight for several months of espionage activities.
Alarmingly, the SolarWinds cyberattack impacted numerous high-value U.S. government agencies who are customers of Orion, including the U.S. Department of Commerce, the U.S. Department of Treasury, and the U.S Department of Homeland Security. Additionally, FireEye publicly disclosed it was compromised and that hundreds of its red-teaming tools were accessed. The stealthy nature of this supply-chain attack, and the advanced capabilities and backdoors in use, served as a wake-up call for organizations including critical infrastructure, industrial control systems (ICS), and SCADA operators.
During the SolarWinds cyberattack, IT security teams scrambled to assess risk and remediate, but it is also critical for businesses to understand how their operational technology (OT) networks and industrial processes may have also been impacted by this attack:
The malicious Sunburst backdoor included in the Orion updates is difficult to detect because it is digitally signed by SolarWinds and treated as legitimate software traffic by the target host and enterprise-grade detection software. There is no "vulnerability to detect" per se—the software is the vulnerability. Asset operators need to be able to catalog the software in the OT environment to understand if they had affected versions of SolarWinds Orion running.
The Orion platform is largely a network performance management system that pulls data from connected systems in order to pinpoint any significant issues that need remediation. Organizations use it to centrally manage an IT environment from a single dashboard. The platform also locally stores credentials to assets and applications throughout the environment. Therefore the scope of the potential compromise for any organization was much larger than the SolarWinds Orion software. It is important that during any incident you're thinking about compromise scoping in this context.
With the previous two points in mind, if you found any instances of SolarWinds in the environment that means you need to rebuild the Orion system, and any system it has credentials to access. That's the only way to address the full scope of the compromise.
Attackers had been using Orion to distribute multiple signed malicious updates since March 2019 and into May. The SUNBURST backdoor had enabled the attackers a seemingly legitimate presence on networks. Once inside, it's likely that they have been able to move laterally on Orion customer networks to gain access to other network domains in order to steal data or exploit other vulnerabilities. As organizations tend to "whitelist" network management systems to prevent false positives, the attackers were able to use this foothold to hide in plain sight. Asset operators, therefore, need to leverage detection techniques to look for anomalous traffic in the OT environment.
Security teams should inspect domain (DNS) activity for unusual or suspicious requests. In particular, look for connections to avsvmcloud[.]com which is a beaconing indicator of compromised instances of SolarWinds Orion.
Even if you've taken all of these steps, it is possible that attackers are in the environment and have established additional footholds or backdoors. Therefore it's critical that you have detection tools in place that rely upon a variety of different detection methodologies to spot an attacker. Doing this ensures you have a broad set of traps and snares to catch lateral movement.
Following the SolarWinds hack, the organization and its chief information security officer (CISO) were recently charged by the U.S. Securities and Exchange Commission (SEC) for allegedly misleading investors about cybersecurity practices and risk handling practices leading up to its disclosure of the attack. According to SEC claims SolarWinds CISO, Timothy Brown, was accused of being aware of the company’s cybersecurity risks and vulnerabilities, but failing to resolve them. The SEC also alleged that SolarWinds had made an incomplete disclosure in December 2020 when the incident came to light. This SEC filing highlights an example of the disjointed nature of cybersecurity from corporate risk, compliance, and regulatory functions typically handled by disparate teams. This incident and following repercussions faced by SolarWinds hack highlights the need for security leaders to embrace exposure management strategies to protect their critical environments amid these increasingly challenging conditions.
As we know, every cyber-physical systems (CPS) environment is unique — and managing and assessing risk in each unique environment has grown increasingly complex. By implementing a comprehensive and proactive risk-based vulnerability management strategy, organizations can ensure they have the tools to properly assess their OT risk posture and effectively prioritize the most pressing vulnerabilities in their environment. With capabilities such as those in Claroty’s new exposure management module, organizations can better understand their CPS risk posture, better allocate their resources to improve it, and accelerate their CPS security journey. As CISOs and their teams continue to face new challenges in managing CPS cyber risk, capabilities like those in our exposure management module can help alleviate their pain points and address their toughest cybersecurity challenges.
1 https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf
Food Supply Chain Latest Ransomware Target
Interested in learning about Claroty's Cybersecurity Solutions?