A recent cyberattack known as the SolarWinds cyberattack has taken the world by storm. In December 2020, the SolarWinds cyberattack affected the US Government and had left a massive impact on cybersecurity. It has given perpetrators access to several key American business and government organisations. Supply-chain cyber attacks are highly uncommon, and the SolarWinds Supply-Chain Attack is one of the most damaging cyberattacks we have seen in recent times.
Through this blog, we will understand the timeline of events that took place and everything that we know so far about the SolarWinds attack. But first, let us learn more about SolarWinds.
What is SolarWinds?
A software company that deals mainly with IT professionals’ systems management tools, SolarWinds’ most widely deployed product is Orion. It is a Network Management System or NMS. An NSM is typically a prime target for hackers and attackers because of several reasons.
Network Management Systems can communicate with all the devices being managed or monitored so that ACLs are ineffective. This is one of the main reasons why it is a prime location for attacks. Another reason is that NMS is configured to respond to events and to monitor them as well. What does this mean? It means that an NMS can make any change on behalf of the configuration. If NMS can make a change, then the attackers can do the same. Although NMS is “monitor only”, there is limited access available to the hackers. If the hacker gets this access, they will be able to reshape network traffic.
With Orion NMS’s help, organisations can manage and monitor systems, servers, network devices, and workstations. Although not all organisations identically configure SolarWinds, it is still a great target for attackers. Monitoring systems need to perform some form of integration, even if that means a small and simple ping command. This does not give out any information. In most cases, we are looking for the status of the individual or a communication link. And the major takeaway or learning from the SolarWinds Attack is to create a better communication link between the IT and the IT security teams.
Who uses SolarWinds?
SolarWinds is extremely popular and widely used Network Management System. It has over 300,000 customers, including the US Federal Government, the Department of Defence, 425 of the US Fortune 500 Companies, and customers across the globe. Almost every organisation makes use of SolarWinds.
Systems Affected by the Attack
- SolarWinds Orion Platform Version 2020.2 HF 1
- SolarWinds Orion Platform Version 2019.4 HF 5
- SolarWinds Orion Platform Version 2020.2
What we know so far
Sunday, December 13, 2020, Austin-based IT management software company SolarWinds was affected by a supply-chain cyber-attack. Hackers inserted malware into software system updates that are now known as Sunburst or Solorigate, and this caused disruption to several customers.
FireEye was the first victim of the breach and disclosed this information on December 8, 2020. Soon after this, it was announced that the US government agencies and several tech giants had been affected too. Here are some of the recent developments that have been announced.
20/1/2021- Microsoft has published a new Solorigate/Sunburst deep dive
Microsoft has published a new deep dive on Solorigate/Sunburst malware on January 20, 2021. The newly released blog talks about how the attackers avoided detection in the different stages of the attack. Various tools were used by the attackers; legit tools were renamed and placed in folders that mimicked files that were already in the machines.
20/1/2021 – FireEye released an Open-Source security tool
A new Open-Source security tool was released by FireEye that dubbed the Azure AD Investigator. This tool can stop the SolarWinds attackers and audit any Microsoft 365 environments that the hackers or attackers use.
19/1/2021 – the SolarWinds attackers breached Malwarebytes
Malwarebytes is not a SolarWinds customer but was attacked by the same attackers who used a different vector than that of the malicious Orion software update.
11/1/2021 – SolarWinds provides an update on the timeline
Sudhakar Ramakrishna, CEO and President of SolarWinds, published an update confirming that the supply chain attacks began when hackers gained access to the internal development environment for the Orion Software update.
6/1/2021 – Department of Justice confirmed the breach
The US Department of Justice (DOJ) spokesman, Marc Raimondi, revealed that the attackers accessed the DOJ’s office 365 email environment. He stated on January 6, 2021, and said that this was unknown until December 24, 2020. He also said that the emails that were potentially accessed are limited to around 3% and that there is no clear indication of classified systems being impacted.
31/12/2020 – Microsoft announced the breach
On December 31 2020, the Microsoft security response centre published a blog post with an update on the Sunburst/Solorigate malware investigation. This is the malware used in the SolarWinds attack that has impacted the US Government and FireEye. It also states that Microsoft user-data is safe, and the customers need not worry. The investigation states that there was unusual activity detected and that one of the accounts was used to view source code. No further changes were made to the engineering systems. They also feel that there is little to no risk involved with viewing source code.
30/12/2020 – CISA updates the federal government and agencies
On December 30 2020, CISA gave an update to the government agencies. These agencies typically use Orion Platform version 2020.2.1HF2, which is the current version of the SolarWinds platform. The previously used malicious code has been eliminated. It also stated that any machine using Orion Platform Version 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 should be removed from networks or shut down as they are not currently allowed to be active.
29/12/2020 – Statement issued by SolarWinds suggests that there may be other victims as well
Most of the statement that has been issued talks about its promise to continue investigating and working with different organisations and government authorities. They talk about supporting their customers, collaborating with vendors, law enforcement, and securing their products and systems all across the world. The statement also mentions any potential victims. The customers of SolarWinds were also victims of the attack, and other companies may have been affected.
24/12/2020 – The Supernova backdoor is addressed
SolarWinds gave an update regarding the second backdoor discovery by Palo Alto Networks researchers. It stated that Supernova is not a malicious code embedded in the Orion Platform as a supply chain attack; it is, in fact, a malware. The Supernova is placed on the server that requires unauthorised access and is designed to be part of the product itself.
17/12/20 – A second backdoor is discovered
Palo Alto Networks identified a second backdoor, Supernova, which is inside the SolarWinds Orion Platform. It is believed that this was implanted by hackers who are different from the initial supply chain attackers.
This brings us to the end of the blog on the recent SolarWinds attack. To prevent such cyberattacks, it is essential to learn more about cybersecurity and be equipped with knowledge regarding the latest trends and technologies in cybersecurity.
If you wish to learn more about the same, you can upskill with Great Learning’s Stanford Advanced Cyber Security Course and unlock your dream career.0