The SolarWinds Hack

By Hubert Yoshida posted 03-05-2021 18:34

Slolar Winds.jpg
In January, the United States went through a tremendous time of upheaval, with the soaring number of deaths from the pandemic, political unrest, and racial discord. While all this was happening, we now learn that the United Stated suffered the greatest cyberattack in history which had been happening for nearly a year, and whose full effects are not yet understood.  

A group of hackers, likely from a foreign government, had gotten into a network management company called SolarWinds and infiltrated its customers’ networks. This access was then used to breach everything from Microsoft to US government agencies, including the US Treasury and departments of Homeland Security, State, Defense, and Commerce. SolarWinds is a network management software product that sits on your network, and it lets you know how things are working and helps the network run smoothly. It is used by a large percentage of the biggest companies in the United States and the biggest government agencies in the United States.

Somehow the attackers got into the code-building environment of SolarWinds, where they were able to insert a backdoor into SolarWinds’ Orion network management software code through a maintenance update. They did it in such a way that it only happens when the code is being compiled at the last minute. So, it was almost impossible to find, but once they were in there, anybody who downloaded at least two recent updates of the Orion software downloaded this backdoor. Once inside the attackers could connect with the code and deploy additional code for further exploitation. The hacked code was downloaded by 18,000 users and at least 50 important customers, including the U.S. State Department, Homeland Security, Treasury and other major parts of the Government were exposed.

This is known as a supply chain attack where someone infiltrates your system through an outside provider who has access to your system and or data. In this case the outside provider was SolarWinds. SolarWinds, itself, may have been infiltrated by an outside provider. Today, with Dev Ops and Open source, the opportunity for supply chain attacks has increased. Providers of outside code are now having to provide digital certificates to authenticate their code.

Although the government and cyber sophisticated companies like Microsoft and Cisco had extensive cyber detection tools, the SolarWinds hack went undetected for more than a year. (It didn’t help that the U.S. Cyber Security Chief, Christopher Krebs was fired during the U.S. elections in November.) FireEye, a cyber security company, was the first to detect the hack when it noticed that one of its employees had two phone numbers for its two factor authentications where an employee is called back on his cell phone to authenticate his access. When the employee responded that he only registered one phone number, FireEye was alerted. They could have passed this off as a false positive, but to their credit they took this as a serious breach and dug into the code, tearing it apart, until it found the hacked code in SolarWinds’ Orion network software.

How was SolarWinds, a security company, hacked in the first place? There are some reports that it was due to a weak password that was used by a SolarWinds intern and posted on his GitHub. This password was identified as “solarwinds123”. I find this hard to believe since this violates all the basic rules for passwords and should have been rejected by the system. Also, most systems today use two factor authentication which was how this was detected by FireEye.

SolarWinds has responded with a Security Advisory, listing what modules are affected and what action should be taken.  However, this is like closing the barn door after the horses are gone. We don’t know what secondary code was injected without tearing the whole network apart and starting from scratch.

So far, the effects have been about espionage, the loss of secrets, and knowledge of source code that could be exploited in the future. No one has died and no infrastructure has been destroyed – yet. Although that can easily be done with the addition of a few lines of code.  The NotPetya cyberattacks on the Ukraine in 2017 are a good example of how physically destructive these types of attack can be, where power is shut off, and banking systems do not work.

Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, has taken the lead on this investigation and said the US intelligence community is still looking at who is responsible. President Joe Biden's administration is expected to respond in the coming weeks. assessing what was hacked will take months and may never to fully determined.
There are several things we need to consider based on what we know so far:
  • Two factor authentication should be implemented along with passwords and the use of strong passwords should be enforced.           
  • Supply Chain hacks are increasing and measures must be taken to authenticate third party code. CSO Online published a blog on some ways to guard against Supply Chain attacks.
  • Supply Chain Attacks are likely to occur in widely used software since it can affect more users.
  • Avoid Automating updates to sensitive code. A patch management system should require third-party risk testing or have some standards that vendors need to comply with.
  • CSO Online also suggests that this is the time to double down on “Least Privilege”. The principle of least privilege is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. For example, a user account created for pulling records from a database doesn’t need admin rights. Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups.
  • For a quick over view of supply chain attacks see Supply Chain Attack on Wikipedia. ​​​​​​​




05-02-2022 02:06

Great write-up

04-27-2022 02:48

Great Post