Sunburst – More heat than light

By now it is unlikely that anybody working in the cyber security industry is unfamiliar with the SolarWinds breach and code compromise, now known as the Sunburst hack.

To recap; FireEye, on discovering that some of their intellectual property in the form of their offensive and red-teaming tools had somehow become available in the shadier corners on the internet, quickly established that access to their internal network had been granted to attackers via a maliciously modified installation of the network management suite, SolarWinds Orion. SolarWinds have issued the following security advisory and FAQ.

FireEye have also detailed the attack and their considerable efforts to assist the community at large in identifying and dealing with the vulnerability here.

This is an audacious attack which has compromised the SolarWinds supply chain and leveraged their software update infrastructure to distribute the modified code to, at time of writing, approximately 18,000 of their customers. The malicious SolarWinds updates were uploaded to their infrastructure and importantly, digitally signed with authentic SolarWinds credentials.

There is, as yet, no word on how the SolarWinds environment was initially breached.

Some of those 18,000 customers are very significant targets – most US government departments and a “who’s who?” of big tech and finance.

On December 13th , the US Department of Homeland Security issued an emergency directive which instructed all government departments to patch their SolarWinds installations or, if unsure or not capable of doing so, pull the plug on the servers.

This type of compromise has the potential to be a nightmare scenario, and it is difficult and time consuming to deal with.

The problem is that while it is very straightforward to identify, if you have a compromised SolarWinds server on your estate (we, like many others, were able to build indicators of compromise for our intelligence and managed services platforms almost immediately when the news came out), it’s far from easy to work out precisely how long the hackers have had access to your network via the SolarWinds server, and, critically, what they did while they were there.

SolarWinds themselves make the following statement in answer to the question, how do I know someone didn’t move horizontally in my network and compromise another system?

“If the vulnerability executed in your environment, you may see network traffic from the Orion server to the internet. This traffic would be directed to a domain other than a SolarWinds domain. Horizontal or lateral movement by an attacker would indicate that they have gained privileged level access to your environment. Increased security event monitoring, close inspection of server and application access logs, and understanding what local accounts exist on your corporate systems will help to identify any signs of misuse.”

Right. That’s clear. I just need to inspect all of my server logs and review all of my code commits over the last unknown period of time, let’s say 3 months, and look for anything unusual.

For many people, it is just not practical. If the affected customers have MDR or Behavioural Analytics in place then they have more of a chance, plus the ability to hunt for threats over an extended timeline, but if those systems are in place it begs the question, why wasn’t any unusual activity detected at the time of the compromise? Or if it was, why wasn’t it acted upon?

It’s not our place to cast aspersions, everyone involved in cyber security at all the affected organisations is, I’m sure, working very hard to fix the damage and have designed and implemented their security systems to be compliant with regulations and best practice – there’s a real sense of “there but for the grace of God…” and taking the moral high ground is not helpful. I’ve been pleasantly surprised that the majority of the cyber security community has been very supportive and immediately offered whatever assistance they can to their customers, SolarWinds and FireEye.

And yet, it is tempting to ask, why do enterprise network management systems have access to the internet? The call-home function of the malicious SolarWinds code will not work if it can’t talk to the C&C servers, so even if your server is compromised, the hackers can’t get a remote shell.

It feels like some basic principles of least access to resources may have been slipping, and it’s something we need to focus on as an industry.

Getting comfortable that your environment is secure once you’ve been a victim of this kind of attack is akin to settling back into a burgled house – you need to fully understand where the miscreants went and what they did while on your premises, and be assured that they didn’t take your spare keys to go back in at their leisure. It’s not a pleasant feeling.

At ITC we are working hard with our managed service customers to understand the impact in the context of their businesses. Our cyber advisory and professional services teams are engaged in discovery and research directed at providing much needed reassurance and technical consultancy to users who either need to know if they were victims, or what to do now they know that they are.