By now you are likely aware that a SolarWinds Orion security breach has impacted over 18,000 government agencies and businesses. This has led to a massive investigation in which information about the breach has been made public. New information surrounding the ongoing investigation is arising everyday and it is important for security conscious organizations to stay up-to-date.
U.S Blames Russia
Multiple U.S. intelligence agencies have formally accused Russia for the attack that has impacted a majority of the federal government. “This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” these agencies voiced in a combined statement surrounding their ongoing investigations into this attack.
Additional Attack Vector
On January 8th, 2021 the US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that password guessing, password spraying, and weak administrative credentials were used as an additional attack vector by the threat actor involved in the SolarWinds hack. This means that organizations who were not using the SolarWinds Orion software could still be at risk. Hackers targeted externally facing remote access services with weak credentials in order to deploy backdoors on internal networks.
How Does It Work?
SUNBURST and SUPERNOVA are the labels that have been assigned to the different backdoors used to persistently access compromised systems. These backdoors perform differently than malware strains generally used to gain persistent access to internal networks. Rather than deploying full-feature malware onto compromised systems, attackers used the SolarWinds breach to deploy a small embedded routine that lives on the system and periodically calls home for instructions. This allows an attacker to remain persistent and quiet until they are prepared to deploy full-feature malware to take over the machine and pivot through the internal network.
It is important for organizations to be constantly monitoring their network for Indicators of Compromise (IoC). Although this advanced exploit can be hard to identify, like other forms of malware, it will likely leave traces that can be detected by companies that have proper monitoring in place. Affected networks will have an increase in PowerShell usage, administrative credential usage, and malicious network traffic. Having proper monitoring in place could potentially detect this type of behavior and stop it in it’s tracks before it becomes a serious problem.