"On December 13, 2020, the cybersecurity firm FireEye published research that a malicious actor was
exploiting a supply chain vulnerability in SolarWinds products to hack into government and private sector
information technology (IT) networks. SolarWinds confirmed the security incident. The Cybersecurity
and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal agencies to
remove certain SolarWinds products from agency networks.
Media initially reported that the U.S. Treasury and Commerce departments were susceptible to this attack;
subsequent reports added additional agencies. The list of compromised agencies and companies is
expected to expand.
As private sector and government researchers continue investigating this incident, the cybersecurity
community expects to learn more about the attack, the adversary, their targets, compromised data and
systems, and ways to recover from the incident. This Insight provides an overview of the incident, federal
response, and policy considerations.
The Attack
SolarWinds (Austin, TX) makes IT management products for business customers. These products allow
chief information officers (CIOs) to automate certain activities such as managing internet protocol (IP)
addresses, monitoring devices, and deploying updates.
A critical element to any software application or platform is the mechanism by which the vendor pushes
updates and patches to users. SolarWinds built functions into their products which push update files to
users (as is common practice).
A malicious actor discovered a way to compromise SolarWinds’ software update service for the Orion IT
management platform (a SolarWinds suite of products). The actor was able to compromise the update
channel used by Orion to distribute malware. When run, the code executed the Sunburst malware in the
SolarWinds IT management platform. Once executed, Sunburst would go dormant for a period of time (to
avoid detection) before fetching additional instructions from its command-and-control (C2) server. The
additional instructions allowed the actors to exfiltrate files, execute new commands, profile the system,
and manipulate the machine. The actors sought to hide their presence by manipulating files and disguising
their activity as normal network traffic. SolarWinds stated that of their 300,000-plus customers, roughly
18,000 are susceptible to this attack. Known vulnerable versions of the platform were released in spring
2020 and were still vulnerable through mid-December 2020.."
Solar Winds Attack
No comments:
Post a Comment