SolarWinds attack poses major cybersecurity risk

Tuesday, 2 February 2021

The technology world has been reeling from the attack on SolarWinds1. The company FireEye has said that its network has been breached via malware inserted into SolarWinds software update.

SolarWinds

The US Treasury Department is one of the first organizations to acknowledge that its networks were infiltrated through the SolarWinds supply chain breach. SolarWinds was widely deployed in the US government and additional organizations including the US Energy Department and National Nuclear Security Administration, the Federal Energy Regulatory Commission and the US State Department have now acknowledged attacks on their networks.

SolarWinds was subjected to cyberattack that inserted a vulnerability SUNBURST into their Orion Platform software (versions 2019.4 HF 5, 2020.2 with no hotfix installed and 2020.2 HF 1). The attack involved installing malicious backdoors into software updates for SolarWinds' Orion network management software. Once those updates were installed by organizations, the attackers had free-ranging access to networks and could install other malware and access data, such as email accounts. The attacker can change passwords or create accounts or spin up new virtual machines, giving the attacker wide ranging access.

The Computer Emergency Readiness Team (CERT) issued an Emergency Directive 21-01 regarding the SolarWinds SUNBURST vulnerability on 13 Dec 2020 followed by an update Alert (AA20-352A) on 17 Dec 2020. SolarWinds has asked its customers with affected products to upgrade to more secure versions of their platform Orion Platform version 2020.2.1 HF 2 and Orion Platform 2019.4 HF 6, as soon as possible to better ensure the security of the environment. Additional mitigation mechanisms include having the Orion Platform installed behind firewalls, disabling Internet access for the Orion Platform, and limiting the ports and connections to only what is required to operate your platform.

Microsoft and a group of other tech companies claim that they have seized a malicious domain that was being used as a command-and-control server to communicate with networks infected through the SolarWinds supply chain attack. The domain has been reconfigured so that in some cases it acts as a kill switch, preventing the malware that was distributed through the compromised SolarWinds software update system from operating. Though the command and control domain has been sinkholed, existing vulnerable versions need to be isolated and shutdown. It is advisable to collect a forensic image of the system, including memory, prior to shutdown to aid analysis.

SolarWinds has indicated that as many as 18,000 organizations could have downloaded the infected updates, However, it is believed that, as of now, only a few dozen organizations, with many in the US government sphere, have been deeply penetrated.

US Cybersecurity and Infrastructure Security agency (CISA) and SolarWinds

The CISA warned on 17 Dec 2020 that the SolarWinds compromise "is not the only initial infection vector this actor leveraged." The CISA has been investigating evidence which indicate that the attackers have been using additional access vectors, other than the SolarWinds Orion platform, to infiltrate targeted networks. These include SAML tokens with unusually long lifetimes (24 versus 1 hour) as well as fake valid SAML signing certificates and sequential user access from geographically dispersed locations.

CISA notes the incident response firm Volexity2 had found techniques and procedures that could tie the recent cyberattacks exploiting SolarWinds software to multiple incidents from late 2019 and 2020 against a US think tank. Volexity investigated three intrusions designed to obtain the e-mails of specific individuals within the think tank. In one incident, the threat actor was discovered accessing the email account of a user through Microsoft's Outlook Web App (OWA) service. Though the targeted mailbox was protected by multifactor authentication, the attacker was able to bypass the multifactor authentication (MFA) security by using a special cookie that granted access to the account only with a username and password. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account.

In another incident, Volexity identified suspicious administrative commands and ActiveSync anomalies in the organization’s Exchange environment. Further review of the organization’s endpoint software and network traffic confirmed a breach. The attacker had executed commands to export e-mail for specific users in the organization, and then exfiltrated the data via the organization’s Outlook Web Anywhere (OWA) server.

Volexity provided some examples of command-line actions the attacker took after gaining access to the target network, which provide insight into the attacker objectives. It seems that the attacker was quite adept with Exchange and immediately listed various organization configuration settings via PowerShell. At the time of the investigation, Volexity deduced that the likely infection was the result of the SolarWinds box on the target network; however, it was not fully understood exactly how the breach occurred (i.e. whether there was some unknown exploit in play, or other means of access), therefore Volexity was not in a position to report the circumstances surrounding the breach to SolarWinds.

The SolarWinds supply chain breach has prompted the US National Security Council (NSC) to invoke a cybersecurity emergency process established under the Obama administration. Despite the efforts by the federal government and companies such as Microsoft and FireEye, the threat continues and remains a cause for alarm. In its advisory, CISA said that the attacker is patient, well-resourced, and focused. The SolarWinds Orion supply chain compromise is not the only infection vector used by this threat actor. Further, not all organizations affected by the SolarWinds compromise have yet been targeted by the attacker with additional actions. CISA also said the adversary has shown an ability to exploit software supply chains combined with a strong knowledge of Windows networks. As such, the attacker likely has more access vectors as well as tactics, techniques, and procedures that are yet to be discovered.

Professor Vijay Varadharajan
Global Innovation Chair Professor in Cyber Security
The University of Newcastle

18 December 2020

1Microsoft Finds Backdoor, CISA Warns of New Attack Vectors

2Volexity, “Dark Halo Leverages SolarWinds Compromise to Breach Organizations”


Related news

The University of Newcastle acknowledges the traditional custodians of the lands within our footprint areas: Awabakal, Darkinjung, Biripai, Worimi, Wonnarua, and Eora Nations. We also pay respect to the wisdom of our Elders past and present.