“Nothing is foolproof to a sufficiently talented fool…”
In other words, if something can go wrong – it will. Such is the case with the recent SolarWinds cyber attack that surprised nearly everyone in the field of cyber security.
The threat actors behind this brazen attack are anything but fools – they are resourceful and capable, and it’s a reminder that even the most hardened cyber security posture can be compromised, and vulnerabilities remain pervasive.
An Evolving Threat
It’s now believed that over 250 federal agencies and businesses have been impacted by the SolarWinds hack, with far more reach than initially thought. Microsoft, which has been a prominent leader in sharing information about the attack, noted that “attempted activities [went] beyond just the presence of malicious SolarWinds code in our environment…we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.”
As the days pass, the picture gets more disturbing – with Microsoft source code reviewed by the attackers, the possibility of new zero-day vulnerabilities could be realized and weaponized by threat actors. This has wide-reaching implications for organizations and their connected devices. Attacks are now escalating to IT systems – on January 6, 2021, the U.S. Department of Justice announced that a number of Microsoft O365 mailboxes had been accessed as a result of the SolarWinds incident.
What was the cause of the SolarWinds incident?
Using a sophisticated APT campaign, attackers used a backdoor that provided access to the SolarWinds Orion Platform software. The attackers crafted the backdoor into a version of the SolarWinds software and distributed it using the standard update mechanism as of March 2020.
Using that backdoor, the threat actors gained access to 18,000 networks of SolarWinds' customers, making this attack one of the most cunning and widespread supply-chain attacks in the history of cyberspace.
The threat actors then landed malware known as “SUNBURST” in many of the networks running the SolarWinds software, then used lateral movement techniques to get through to the ultimate targets. An additional piece of malware called “SUPERNOVA”, a webshell backdoor implanted within SolarWinds Orion, was also discovered recently.
In some instances, the threat actors had success obtaining the private key of the ADFS (Active Directory Federation Services), granting them SAML tokens to gain unfettered access to the target systems – even in an enterprise victim’s cloud.
Dozens of governmental agencies and commercial enterprises have been impacted by the SUNBURST malware, including the U.S. Treasury Department, DHS, Microsoft, and a few high-profile hospitals in the United States and abroad.
APT29, aka Cozy Bear, was reported to be the threat actor behind this massive attack.
CISA has issued corresponding alerts and directives, which can be found here:
1. Remediate your SolarWinds instantiation
Organizations running the following affected versions should update to the corresponding hotfix versions:
Orion Platform v2019.4 HF 5 : update to Orion Platform version 2019.4 HF 6
Orion Platform v2020.2 with no hotfix : update to Orion Platform version 2020.2.1 HF 2
Orion Platform v2020.2 HF 1 : update to Orion Platform version 2020.2.1 HF 2
Follow this SolarWinds advisory for details
2. Detect signs for the malware in your network
According to the IoCs (Stix file in CISA advisory). Especially the domain name avsvmcloud[.]com
3. Map the scope/reach of SolarWinds service accounts in the network and look for anomalies
Map devices where SolarWinds service accounts were logged into in the past X days, and look for anomalies - e.g., devices SolarWinds shouldn't have access to.
We urge changing the credentials for these accounts, according to CISA guidelines.
4. Harden the SSO access
SAML attacks were used as to impersonate users and gain their access to on-premises and cloud resources. The reasonable thing here is to make sure MFA/2FA are implemented, at least for sensitive accounts.
How Can CyberMDX Help?
Hospitals must contend with managing thousands of connected medical devices along with an evolving regulatory landscape. In addition, the risk of cyber attack is higher than ever before and having a limited security posture won’t provide the contextual visibility necessary to understand and protect medical environments.
With respect to the SolarWinds attack, the CyberMDX Healthcare Security Suite can:
- detect indicators of compromise (IoCs) by of the SUNBURST malware in the traffic, especially DNS queries
- track the scope and reach of SolarWinds service accounts, including historic ones - using a Control Center query
- detect signs of deviation from baseline, scanning behavior, and other malicious/abnormal activities typical to the lateral movement part in SUNBURST's infection chain. As the attackers are not familiar with the normal behavior, nor the function of devices, they cannot perfectly mimic the natural device behavior. Their mistakes can be caught by CyberMDX that identifies and classify devices and baseline their normal behavior
The SolarWinds attack and the recent Ryuk ransomware attacks demonstrate that enterprises – and hospitals in particular – must remain vigilant. Although 2021 is a new year, 2020 is a good indication that the volume and velocity of these attacks will continue to increase.
Follow the recommendations above and consider bolstering your existing cyber security tools with more advanced, industry-specific solutions that can address gaps in your security posture.