FireEye discovered in early December that their network had been compromised, and that attackers stole some “Red Team” tools – tools that are used in penetration testing exercises with large clients; not actually zero-day threats but useful reconnaissance frameworks for attackers nonetheless. To help prevent malicious use of these tools, FireEye has released the source code of these tools on GitHub so that defenders can understand how they work and monitor for activity generated by these tools.
At the same time FireEye sought to determine how the hackers got in, it discovered that the initial malware entered their environment in the form of a legitimate (i.e. signed by the vendor) update to the Orion SolarWinds network monitoring platform. From there, the attackers were able to quietly dig into the FireEye network until they were able to steal FireEye’s tools. It is clear from the operational capabilities and behavior of this attacker that they are very sophisticated, very patient, and very capable – most likely a nation-state actor.
What Are The Implications?
The fact that the attacker was able to sneak malicious code into binaries, signed by SolarWinds, is astounding. This means the attacker managed to compromise SolarWinds first, and either planted code into their code repository without anyone noticing (which was then built into their binaries); or stole SolarWinds’ code signing certificate, signed their own variant of the SolarWinds binaries, and then injected that malicious binary into the update repository. Either way, the attacker had extensive internal access within SolarWinds and completely avoided detection. This is called a “supply chain attack” and we have never seen one at this scale before.
SolarWinds has around 30,000 customers using their Orion solution, and many other customers using their other solutions−all of which are now suspect. We do not envy the task in front of SolarWinds. Every single system on its network now cannot be trusted. They will have to burn everything to the ground, possibly even purchase all new hardware, and install from scratch, before any binaries released can be trusted again. Other security vendors must also now revisit their internal security and code review policies, as there is little doubt that this attacker won’t seek other vulnerable supply chains.
There are also major geopolitical implications as we believe this attack was perpetrated by a major nation state, and it’s clear that the attacker had very specific government targets in their sights. This brazen espionage attempt has caused a major escalation in the existing simmering cyber war between nations.
How Did The Industry React?
To their credit, FireEye promptly revealed the hack on their network soon after it was discovered, and has released some details of their investigation. FireEye, along with SolarWinds, have rapidly published Indicators of Compromise (IoC)−essentially, signatures that can tell if systems are affected, including known-malicious files, the URLs the attackers used, and other features.
Other security vendors, including anti-malware vendors such as VIPRE, have rapidly consumed these IoC signatures to support detection of compromised systems using standard scanning techniques. At the same time, behavioral-based detection engines are being evaluated to ensure that they would have been able to detect this compromise proactively, and would be able to detect future threats with a similar attack vector. Unfortunately, this task is extremely difficult – by its very nature, software like the SolarWinds Orion platform is designed to be trusted, and is allowed to do things (like install system services, monitor network connections, etc) that “normal” software is not allowed to do. And even if a behavioral monitoring system like VIPRE’s Advanced Active Protection had thrown up an alarm, it is very likely that the local system administrators would have said “oh, they’re complaining about SolarWinds; we trust them, it must be a false positive.” In this case, by compromising the supply chain and using techniques designed to mimic SolarWinds’ own proprietary internal communications, it’s hard to imagine that any anti-malware solution would have been completely effective in blocking this attack. This shows the power and importance of the supply chain, and how critical it is that the trust we place in security vendors is justified by strong supply chain protection.
To be specific, VIPRE has built upon the information provided by FireEye and has added signatures of known-malicious resources and activity to our various detection engines. This includes file signatures that match all the known-bad code published by SolarWinds; known-malicious URLs used by the attackers, and additional IDS rules to detect other attacker behaviors such as beaconing on the local network. For more detail on how VIPRE has responded to this threat, visit VIPRE Labs.
What Should You Do?
At this time, if you are not a user of the SolarWinds Orion platform, there is no reason to suspect that your organization is affected. That said, you should consider having multiple redundant protection systems in place and periodically review outbound network connections from critical systems to your software vendor’s support infrastructure. VIPRE, for example, publishes a complete list of all outbound connections our software makes. If our software were observed to be connecting to another server (as was the case with this malware) it would be a dead giveaway. In fact, if you take a whitelist-only approach for critical servers (i.e. only allow outbound connections to approved servers published by your software vendors) attacks of this type would very likely be stopped.
If you ARE a customer of SolarWinds’ Orion product (or any of their other products):
- Immediately make sure your SolarWinds software is up to date with the absolute latest patches
- Immediately make sure your antivirus solution has the absolute latest definitions in place (if you use VIPRE, we recommend you set these to auto-update)
- Look closely at your environment for any suspicious activity
Anti-malware solutions, such as VIPRE, should be able to detect the known malicious software used in this attack. However, if these threat actors have been in your network since May, it’s possible they planted malicious software other places in your network. Ideally, you would rebuild all of your systems from scratch, re-installing every OS and software package from trusted sources. It’s also recommended that you establish ongoing review of outbound network connections made by your servers. These systems should never make unexpected new outbound connections and each new connection should be reviewed and approved by comparing against the vendor’s published list of servers.
This latest example of the current global threat environment is stunning and frightening. Some of the most secure companies and government agencies operated for months with no idea that attackers were deep inside their networks. Major flaws in our fundamental trust model, our monitoring capabilities, and our understanding of geopolitics were suddenly discovered, and the implications of this new knowledge are profound.
As always, VIPRE strives to provide powerful security solutions that protect against all known and many unknown threats. These days, more than ever, it is critical that to remain vigilant and careful.
For over 25 years, VIPRE Security has been a leading provider of advanced security products purpose-built to protect every major attack vector from today’s most costly and malicious online threats. To learn more visit https://www.vipre.com/products/business-protection/.
The post FireEye/SolarWinds/SUNBURST Hack – What You Need to Know appeared first on VIPRE.