Could the “Ex-Factor” Limit the Blast Radius and Reduce the Impact of the SolarWinds Breach?

This content was originally published by Skybox Security and has been preserved here on tufin.com for posterity.

While the world waged war on an invisible virus, the Infosec community battled an equally invisible adversary. Overwhelmed by the volume of vulnerabilities, many lost the battle temporarily. The “breached” list for 2020¹ ran the gamut from retail to healthcare, transportation to tech, telecom, hospitality, and federal agencies. The attack techniques also ranged from phishing scams to ransomware attacks. Attacks such as that orchestrated through the SolarWinds malware revealed deep levels of sophistication and extended planning and reconnaissance. Savvy threat management teams have learned the value of combining vulnerability exploitability with exposure analysis as the secret sauce for limiting their remediation scope to assets at highest risk due to direct exposure to a threat actor.

Recap of the SolarWinds breach

The December 24 advisory² from SolarWinds explained this now infamous event as a “cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.” Specifically, it permits an attacker to gain access to network traffic management systems and through lateral movement exfiltrate sensitive data.

This attack sent ripples through the infosec community as vulnerability teams scrambled to run scans and research the business impact of this newly identified threat.

What was the impact of this malware?

On December 13 FireEye published an advisory³ regarding its discovery of the supply chain attack trojanizing SolarWinds’ Orion business software updates in order to distribute the SUNBURST malware. According to FireEye, the SUNBURST backdoor sits dormant for about two weeks then retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. This malware has propagated across a vast supply chain impacting organizations in all industries.

Organizations affected to-date include Microsoft⁴ and The National Nuclear Security Administration⁵ (which maintains the US nuclear stockpile). Intel, nVidia, and Cisco were also affected. The list of companies continues to grow as each day goes by.

How are companies addressing this now and in the future?

As teams responded quickly to the news, we look back in retrospect and ask, “could anything have been done to stop the attack? What techniques should have been in place to prevent propagation?”

As an immediate stopgap, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive⁶ ordering all federal agencies to immediately disconnect the affected Orion products from their networks. This best practice approach is now being adopted by many commercial entities as part of their risk mitigation process:

Discover and Analyze

Identify all systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. Analyze for new user or service accounts, privileged or otherwise.
Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.

Respond and Remediate

Disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.
Until affected entities can rebuild the Windows operating system and reinstall the SolarWinds software package, they are prohibited from (re)joining the Windows host OS to the enterprise domain.
Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.

Microsoft took part in analyzing the attack⁷ and responding with a counter campaign,⁸ by seizing domains of the attackers. Even though there is no definitive decision regarding the attack vector through which SUNBURST was introduced, there are additional schools of thought including the claim that CVE-2020-14005 & CVE-2020-13169 were related to the breach. Our Research Labs took immediate steps to add these CVEs to the Skybox Vulnerability Dictionary.

Preventing similar attacks in the future requires a fresh approach to vulnerability management

Looking at the modus operandi of this Russian-sponsored APT actor, known as APT29, or Cozy Bear, our Research Lab indicated that the SUNBURST malware is very sophisticated with various obfuscation techniques and multiple C2 servers. Its post-compromise activity includes lateral movement and data theft. CERT¹⁰ says this group generally operates by “obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets in order to exfiltrate data.”

In November, Vinoth Kumar, a security researcher reported to SolarWinds that their update server was accessible with a weak password that had been open for a long time before he reported it. They fixed the issue shortly after. Kumar stated11 that it was possible the attackers could have used the same FTP credentials, acquired a signing certificate and they could modify the .dll, sign it, and upload it to the FTP server.

How do organizations as large as SolarWinds keep track of the millions of credentials while keeping up with the deepening flood of vulnerabilities appearing on a daily basis? Effective vulnerability management requires a fresh outlook. Traditional threat management methods of scanning assets for improper configurations and remediating through patching or segmenting continue to fail. Risk and security professionals must utilize deep context to target assets that are high value (such as development and update servers) that contain vulnerabilities that are exploited in the wild but more importantly are exposed to threat actors seeking to breach these assets. The magic combination of exploitability and exposure analysis based on a solid foundation of asset intelligence produces a focal point for remediation to be done quickly and effectively.