Over the weekend several news outlets such as The Wall Street Journal, Reuters and the Washington Post reported that Cyber Security Intrusions were detected across the globe.
The Cyber Incident appears to be the result of hackers who are believed to be working for foreign governments. These Cyber Criminals were able to breach the software provider SolarWinds by obtaining ftp credentials that were exposed publicly on GitHub. SolarWinds is a company known for monitoring, managing and maintaining core network infrastructure equipment.
Once inside SolarWinds ftp network the Cybercriminal’s deployed malware-laced software updates that infected its Orion software platform. These updates were pushed to users around the globe. Some of these entities include several US Government Networks, Fortune 500 companies, as well as small and medium businesses who use their product.
The infected Orion software updates were laced with malware that dropped Command and Control agents. This allowed attackers to use the machines as pivot points to move laterally throughout the victim’s network.
Now the interesting thing here is the fact that Cyber Criminals were able to silently launch their attacks and potentially setup CNC (Command and Control) machines on victim’s networks undetected. Industry research has shown that, on average, advanced attacks nest inside organizations for 200 days before discovery. That’s a long time for an attacker to stealthily gather private data, monitor communications and map the network.
According to an analysis reported by Tenable the backdoor malware resides in a dynamic-link library (DLL) file name SolarWinds.Orion.Core.BusinessLayer.dll. The file was digitally signed by SolarWinds with a valid certificate on March 24, meaning it would be trusted by the underlying operating system and would not raise any alarms.
The backdoored DLL file was seeded as part of SolarWinds software builds between March and June 2020, which are accessible via the SolarWinds website. Once an organization installed the malicious software update, the backdoored DLL file would remain in hibernation for a period of two weeks before beginning its operation. This is one of the stealthy elements of this operation. FireEye says in its blog post that the backdoor also managed to “blend in with legitimate SolarWinds activity” in order to evade detection.
What makes this even more interesting is the fact that this malware Sunburst, has been in the wild for approximately 9 months before being detected. For many this is scary to think about as many companies have probably had their systems compromised or data ex-filtrated from their environment without ever knowing it. More than likely there is other malware in organizations systems that are ready to launch an attack in the future.
Now is an opportune time to evaluate your network environment and get a health check on where you stand with Obsolete OS’s, Software patching, and most of all dig into SIEM logs and determine what core infrastructure systems are calling out to the internet and why. One way to get an accurate health check is to have a pen test conducted against your environment. A Pen Test is conducted by a white hat hacker that uses a variety of tools to try and gain access to your vital computer systems. Once the pen test is completed by the white hat hacker you will be provided a report that shows what systems are vulnerable to an attack, how an attack could be launched against your organization, and ultimately steps or actions you can take to mitigate your risks.
If you or your organization would like to discuss options to evaluate, test, or discuss what your organization can do to protect it against a Cyber Security attack please reach out so we can setup a meeting with one of our Cyber Security Experts to review options.
You can reach me at [email protected] or call 863-734-8060 to schedule your appointment.
Kip Kirchberg is an International Cyber Security Expert who has experience building World Class Cyber Security Teams. His experience has been leveraged by Multiple Fortune 500 organizations to help build, tune, and enhance their Cyber Security Posture.
Experience includes but is not limited to Building SIEM platforms, Endpoint Security, 3rd Party Remote Access, Industrial Control System’s, NextGen Firewall’s, Threat Hunting to Identify Cyber Security Risks, Generating Executive Reports that lead to actionable data, Build and maintain Incident Response Team’s, Draft and Adopt Corporate Cyber Security Governance, Internal and External Pen Testing, Team Building, plus much more…
