Anatomy of a hack – Solar Winds Orion
By James Gorman, CISO, Authx
What happened when one of the leading IT support venders in the world, leading government agencies the world over and up 18,000-33,000[1] companies running the affected version (2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1)[2] of SolarWinds Orion software.
What happened.
- The threat actor – indicated to be a nation state in Microsoft’s Threat Intelligence Center’s release[3] – was able to compromise the update process for Solar Winds and imbed a trojan horse that allowed the attacker to gain administrative access to the network.
- Using the acquired administrative access the intruder used a lateral attack to gain access to the certificate signing credentials of the organization. This allows the attacker to generate “real-looking” credentials to continue to move throughout the organization.
- Using the now trusted yet hacked credentials, the attacker then takes stock of what else they have access to in the organization, on-premise and cloud based. This is because they have access to seemingly valid credentials and are not flagging most alerts looking for unusual login failures.
- Once the attacker has access to a Global Administrator’s account or its trusted certificate, they use that to impersonate the admin, they essentially have the keys to the kingdom and can create new global admins, add them to existing services and or create new services and then go after API access to the organization.
What has been reported is that once this particular hacker gets access to the global administrator they keep the malicious programs – Malware – to a minimum and used remote access to move through the enterprises and take over code repositories, trade secrets, MS Office 360, Azure Active Directory, essentially every system that relies on federated access and authentication. The list keeps growing of who was hacked and it is a veritable who’s who of what a Nation State actor would want – US State Department, Pentagon, Department of Homeland Security, National institute of Health and others, as well as many private firms[4]. While many of the known targets are the “big guys” if you use Solar Winds Orion assume you are compromised.
If you use Solar winds Orion assume you are compromised, take it off line, upgrade and contact SolarWinds. https://www.solarwinds.com/securityadvisory
If you are a CISO or security professional, you should know that in this hack you could do everything right and still have been vulnerable. You could have anti-malware tools running, login restrictions on sensitive systems, monitoring of the failures, all the things you would do in a traditional defense in depth environment. Because you trusted your supply chain and one of the largest and most trusted names in network monitoring and management was breached and you are now vulnerable and probably compromised.
You could have done everything right and still been compromised! This is the lesson to learn here all you can do is mitigate and minimize the damage done. Some hackers are very, very good and your security is only as good as your weakest link in your supply chain. It could be one of your largest and most trusted IT suppliers that are the avenue of attack. You have to trust and verify everyone.
So what is a person to do if they are or are not compromised? There are some things that had they been in place cold have mitigated or limited the damage due to the internal spread of this particular hack. We still do not know how the development/release system at SolarWinds was compromised – I for one am looking forward to seeing how that happened.
What to do now that we know what we know –
- Update your software frequently – this is still the best way to keep known vulnerabilities at bay. Don’t let this supply chain hack scare you into not keeping your systems up to date. It is one of the most basic principals in Cybersecurity – path your systems
- Use updated antivirus systems that are quickly updated to mitigate this attack.
- Monitor your network and systems for anomalous behavior – Look for multiple power shell access to Active Directory from the same machine. Especially privileged sign ins.[5]
- Look for adds to your federated services, use best practices for securing your AD FS services.[6]
- Use whitelists for access to your sensitive network segments – block outbound traffic except what is needed for vital business processes on your trust segments. This blocks the trojans access to its home Command and Control (C2) servers where the hackers then get access to your environment.
- Use hardware based tokens (HSMs) for SAML signatures.
- Alert and verify as authorized new access credentials on OAuth applications and
- Reduce attack surface by removing applications and service principals that are not needed on your systems. Make sure you are logging the service principal access and look for anomalies.
- Use multifactor authentication with Biometric factors for all log ins.
Authx https://authx.com is a prime example of how to verify who actually has access to your systems. It is a multifactor authentication mechanism that uses biometrics – face, finger, palm or one-time pad to give additional validity to the user access experience. Authx or another would have limited the ability for lateral movement and the persistence of this or most imposter credential attacks.
[1] https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm
[2] https://www.solarwinds.com/securityadvisory
[3] https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
[4] https://news.yahoo.com/solarwinds-orion-more-us-government-131005599.html
[5] https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins
[6] https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs
Using DNS Made Easy to add resilliance to your website
I have been working with a start up customer that has a very limited budget but need resilliancy – in otherwords can not afford down time. I a previous iteration the CEO and I built a Paymetns Gateway and used the F5 GTM to provide Geographicly diverse failover capability and it cost big $$. So natrually he wanted it yesterday and for nothing… 🙂
What we had
- Production site in a Data Center in one US State
- DR site in another US state
- Abiltity to program a valid transaction to enure end to end availability
What we wanted:
- Active monitoring of web stite
- Failure notification
- Multiple sites to monitor from –
- Automatic failover to DR site
- Automatic Failback to Prod site when test is clear.
What I found – DNS Made Easy – Made it very easy to do exactly what we needed. I wont go into all the details but check it out – if you need to set up failover autmatic or manual I can not recomend them enough!
Blog Post #1
Welcome to jgorman.biz blog post. I am going to record some of the things that I have come across in my consulting and daily work that were interesting or what I want to come back to.
I have been spending much of my time building highly available and scalable infrastructure with open source tools and commodity hardware providing price competitive rapidly deployable SaaS clouds.