By: Jeremy Rasmussen, Abacode CTO
Is your organization prepared and well equipped to protect its critical IT infrastructure?
You probably have heard of the SolarWinds Breach but what exactly is SolarWind software and how can you protect your company and your IT infrastructure from a similar attack?
SolarWinds is software that allows for centralized health/status monitoring and management of corporate networks. SolarWinds customers include Microsoft, McDonald’s, Lockheed Martin, and Yahoo, as well as many government and military departments in the US and internationally.
18,000 SolarWinds customers, downloaded the malicious Orion software update, which was actually cryptographically signed (i.e., vendor “verified” software) by SolarWinds between March (version 2019.4 HF 5) and June of 2020 (version 2020.2.1).
The trojan itself stayed dormant for a couple of weeks before it began connecting out to command & control sites to retrieve and execute commands, including the ability to transfer and execute files, pull system profile info, reboot machines, and disable services.
The malware evades detection by mimicking normal SolarWinds API communications, interleaving its network traffic with legitimate SolarWinds Orion Improvement Program (OIP) protocol traffic, and even storing its reconnaissance results within legitimate plug-in configuration files. The trojan also used multiple obfuscated blocklists to side-skirt endpoint protection tools running as processes, services, and drivers.
So, how did SolarWinds get hacked? We don’t know yet. According to SolarWinds, the attack: “was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker.”
Some have said there’s the possibility of an insider at SolarWinds who helped the hackers gain access to its clients, or maybe attackers exploited a weakness in a public-facing system meaning they could be targeting them remotely.
According to a SolarWinds report filed with the U.S. Securities and Exchange Commission (SEC), it was a DevOps security issue: “the vulnerability … was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.”
DevOps is, the combination of development (Dev) and operations (Ops) – i.e., the people, processes, and technology used to put out new software builds. Perhaps if SolarWinds had better DevSecOps practices in place, it could have detected and stopped the malware before it was widely propagated.
No matter how it happened, the lesson is very clear: no matter who you are, it’s not if you will be targeted, but when, and how ready you will be to respond.
Unless you have a third-party such as Abacode powered by Trifecta, with eyes-on-glass, 24/7/365 monitoring for these types of breaches, you are just flying blind.
If you don’t have continuous monitoring, you really have nothing. No security at all. If you are a SolarWinds customer, or even if you’re not, what can you do today? Have our team discuss your current cybersecurity strategy, perform a comprehensive assessment and create a customized plan designed to manage and reduce your cyber risk at all levels.